CBS Interfaces

N D KunduCBS InterfacesAgendaAlternate Delivery ChannelsAutomated Teller MachinesInternet BankingReal Time Gross SettlementCash Management SystemsExternal Interfaces ATM Interface ATM interface with switch Tele banking Internet banking Mobile BankingCash ManagementReal Time Gross SettlementBunch Note Acceptor

3Central BankClearing HouseBank ACustomerCustomerCustomerCustomerBank BI T and Retail Payment SystemsNational Payment SystemRetail Payment System(ATM, EFTPOS, Credit CardsList of Interfaces and mode of connectivityGlobal TreasuryCTSDMSCMSInterfaces used19646STP TCP/IP11-2DBlink41-1FTP--1-STP SFTP2-1Network Share92--Manual211DB Port111-RDP-11-SMTP---1Connect-24One view to the external world through all delivery channels Middleware for real time interface of delivery channels to FinacleSupports traditional and emerging delivery channels viz. ATM, Telephone or Internet using ISO 8583 and OFX standards6POSPublicNetworke-Channels/e-Corporate CONNECT-24TelebankingSWITCHATMATMATMFinacle DATABASEDATA CENTERConnect-24Desktops7Automated Teller Machine (ATM)ATM Card & Debit CardProcedure for issuing ATM CardsATM SwitchesHost Security ModuleNatural PIN GenerationStorage of PIN??Track 2 on Magnetic-stripChip based CardCash DispenserFunctions of ATMCash WithdrawalBalance InquiryCheque book requestPIN ChangeMini StatementUtility Bill PaymentMobile Top-upUpdation of Mobile number ***

ATM Structure

Functioning of the ATMCustomer swipe the cardEnter PIN, encrypted using HSM/SSMValidation of data by SWITCHCustomer authenticatedService request like withdrawal of cash sent to DatabaseBalance verification for adequacyAccount debited and on confirmation ATM dispensed cashIn the changed process, even the cash is not picked up, it will not gone back to the ATM BIN.All details recorded in journalInterchange agency VISA, MASTER, RUPAYVerification of PINCustomer insert card & enter PINEncrypted PIN sent to ATM SwitchATM verifies card details from database & confirm correctnessNatural PIN generatedSwitch is having the value which is difference between actual PIN & natural PINThis offset value verified using HSM/SSMIf tallied customer/card is authenticatedChange of PINCard inserted, verified from Switch databasesPIN change option enter old PIN, verifies through SSM/HSMEnter new PINUsing card no., Natural PIN new offset value generated & stored in SSM/HSMOld offset value erasedNo where in the system PIN is storedThere is a process of computing PIN using card no. & the offset value stored in HSM/SSM.Operational IssueInsufficient CashJournal paper exhaustedNetwork connection lostFaulty cardCCTV should be thereGuard/ watchman should be insisted uponThree wrong attempts card should be blockedLimit of cash withdrawal, no. of txn per dayHotlisting of cardsFraud Risk Management SolutionEvaluation of Controls in ATMCard & PIN generation processDealing with surrendered cardSecurity of PINControl over cashMaintenance of transaction recordsDealing with lost/ stolen cardsATM Switch operationsCard & PIN GenerationSeparate department to handle card & PINConfidentiality in PIN mailer generationReconciliation of no. of PIN mailer & card producedPhysical & Logical access controlFlow of data to card printing agency, if outsourcedStock of blank cardsControl on card card embossing & PIN mailerPIN & card should be despatched separately by different courierRecord maintenanceHandling of returned cardsSurrendered & Captured CardsComplete documentationProcess for replacement of card & PINProcess for making captured card ineffectivePIN mailer need not be returned by customerRegister for surrendered cardRemoval of captured card on regular basisReport from Data Centre & reconciliationCapture procedure for entering wrong PIN thriceSecurity of PINReport by customer- block immediatelyNot to disclose PIN to anyoneProcess of timely generation of new PINPIN/PIN offset should always be in encrypted formHSM/SSM should be in self destructive modeAll storage for PIN encryption should be zeroised after each calculationNo hard copy of record of PIN producedATM cash ManagementDocumented procedures for cash balancingJournal should automatically record all withdrawalsCash inserted in each BIN/ cassette should also be recordedCash reconciliation for cash dispensed, remaining cash, misfit notesAll discrepancies noted & reportedMaintenance of cash & reconciliation by 2 different personsWrong denomination should be doubly checkDaily balance procedureRecord maintenanceJournal Roll recording of all eventsHard copies of journal to be preservedSoft copy of EJ no modification allowed Secure storage of EJJournal roll should be checked regularlyUnauthorised opening of ATM should also be recorded

Lost & Stolen CardsDocumented ProcedureUptodate record of all stolen cardsRestricted accessFacility to identify when stolen card is usedReject the transaction or capture the card on triggerProcedure to note verbal instruction to stop usageReplacement card after written request onlyLegal provision to be followedReport to be generated & preservedATM Switch OperationsATM switch is also a server with dtabaseCard No. & its offset value storedDetails of hotlisted cardsDetails of surrendered cardAccount balance of customerATM- Audit Check ListSecurity guard & CCTVControl on Server OS & DBSys Admin controlsSecurity of Admin passwordSetting of parameters like max. no. of withdrawal, withdrawal per day, no. of failed attempts etc.Review the procedure for configurationAuthorised modification only allowedSecurity of key encryption & decryptionReview procedure for hot-listingReview types of logs generatedAgreement with other Banks & agency.Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.aspThis is how a ATM that has been doctored with skimming devices look, surprisingly it looks normal but closer scrutiny reveals otherwise.

the underground ecosystem has been unofficially maintaining lists of scammers within the scammers, with sales of a particular service or product driven mainly because of the positive or negative feedback24Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.aspThere is a hidden camera in the pamplet holder

DV_IP ATM - http://www.usfst.com/pastissue/article.asp?art=272050&issue=228http://www.globalasa.com/cardholder.html

25Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.aspThe card reader has a skimming device attached.26Internet BankingBanking transactions through InternetPermitted to registered customer onlyAny time, any where banking 24X7Adequate security to be builtCustomer awareness to be increasedBeware of phishing attacksInternet Banking ComponentsDemilitarised ZoneWeb serverInternet Banking Application ServerInternet Banking Database ServerMiddleware Connect 24Central Database ServerFirewalCustomer accesses Banks website using a browserCustomer types Internet Banking user name and passwordWeb server sends the Banks Webpage to the customerWeb server sends user name and password to IBASAIBAS requests user name and password of the customer from IBDS

IBDS sends user Name and Password of Customer to IBASWeb server presents the facing page of the Customers account (assuming customer is authenticated)IBAS authenticates the customer and intimates the web serverCustomer chooses an IB service say Account statement view Web server forwards the service request to IBAS for processingIBDS requests customer account information from Core DB that is accessed via Middleware

Middleware forwards request from IBDS to Core DBIBAS requests customer account information from IBDSACore DB retrieves customer account information and forwards it to the middlewareMiddleware converts customer account information to suit the requirements of IBDSIBDS temporarily stores customer account informationIBAS accesses the customer information in IBDS and presents it to the Web ServerWeb server presents the customer a dynamic web page with the account informationCustomer is presented with the requested account statement Internet Banking ProcessCustomer application issue ID & PasswordLogin password & Transaction passwordChange password immediately after first loginBrowser based access through web pagesWebsite/ URL hosted in web serverWebserver is in DMZ of DCSeparate Firewall for Web serverAccess through user-ID & login passwordCustomer detail will flow from web-server to IBASIBAS access IBDS which contains all details of IB customersIBDS will verify the details, otherwise access will be deniedOn successful authentication, customer will get access.

IB-available functionsFund transfer self & third partyBalance inquiryStatement of accountsOpening of Fixed Deposit & Recurring Deposit accountRequest for Cheque BookStop PaymentATM/Debit card queriesOther value added servicesProcess FlowCustomer choose his function say statement of accountWeb server send information to IBASIBAS access IBDS for getting dataIBDS will interact with Central DB server through middlewareMiddleware convert the data to suit the requirement of central DBIBDS forward customer data to IBAS which process the requestStatement of accounts from central DB made available to IBDSIBDS will send to IBAS then to web browserWeb server generate dynamic web pagesCustomer will get their required services.Security ConcernHacking, PhrackingPhishing, Vishing etcIncorrect account linkageFraudulent balance transferUnauthorised accessCyber-related fraudsLack of segregation of dutiesIncorrect Firewall configurationInsufficient built in application controlsUnstructured change management proceduresAudit Program of Internet BankingSecurity policyUser inentity & authenticationAccess control to operating staff proper segregationSysadmin roles & responsibilitiesFirewall configurationLive & test environment separationNetwork securityRouter configurationWeb server securityBuilt in operation controlKey Management procedureHSM/SSM securityChange Management processData/information/system security Naaviujvala consultants36Internet banking systems have security features such as separate transaction passwords, two factor authentication, multi-channel process for registering payees, upper limit on transaction value and SMS alerts to customers. Appropriate verification procedures should also be incorporated at all channels such as phone banking, ATMs, branches and internet to ensure that only genuine transactions are put through.

Defeating 2-factorEnterprise Security- trends & conceptsVishing attacks Phisher poses as Banks call center personnel on telephone and requests customer for SMS OTP for verificationSmartphone malware to capture OTPMalware on symbian and Palm OS for stealing sms from banksPhysical SIM replacementMultiple cases seen in India over last yearPhishing, NetBanking & Call Center Fraud ExampleInternet Banking

My AccountsCall Center

Account Balance

CardApplicationUses Harvested Web CredentialsGet Personal Data from AutoformsAuthenticate using Personal Details and gets new PINRequest TransferAccount Id12345678PasscodesgodisGreat2 Factor AuthAddressBelapurDOB15 Aug 1947ProductsCard, CurrentMothers NameSheela

38

Discussion RoomUniversal TellerCustomer Care TeamCustomer Waiting AreaReceptionCustomer Sales OfficerInternal Transaction Fraud Presentation Name30 crore transferred in 12 minutes using RTGSFraud transactions were carried out early morning before the branch is fully operationalBank employee logs in with an user-id with Maker privilegesCreates a RTGS transaction for 17 Crore debiting a corporate account in another branch. Beneficiary is a corporate account in external bankLogs out and Logs in from same machine with user-id with Checker privileges and approves transactionRepeats the same cycle to put a second RTGS transaction of 13 Crore from same account All fraud transactions were carried out from a new IP in the branch subnet range40Risk Based Authentication Internet Banking

Login /Transaction activity

Real Time Risk AssessmentPoliciesContinueCustomer ChallengeFailHigh RiskToken, Knowledge Based, SMS, Soft tokens, Device Based, InteractiveBlockPassLow RiskRisk Based Authentication Flow

Cash Management SystemExclusive utility for all India based customersCollection & Payment at different location large scale High volume of disbursement for salary, dividend paymentNeed not open account in multiple centresMultiple centres authorised to receive cheques etc.Credit to base account on same day subject to limitMIS generated, partywise, location wise report availableInformation through e-mailParameter settingClearing cycleCredit limitSlab maintenanceInterest calculationProcessing chargesWaiver of chargesValidation of dataEncryption ControlsCalculation process to be verifiedAny modification allowed in middle?Integrity of data implement encryptionSecurity on data moving through internetAuthentication & verificationEOD processingPooling account reconciliation- zeroise dailyInterface with CBSBuilt in controls for exception reportingAudit trail to be maintained.Real Time Gross SettlementInter Bank Money transfer systemNo waiting period- immediate within 2 hoursAll transaction are gross, reflected in central bank accountPayment is final & irrevokableMinimum amount 1 lac, no upper limitDebit first to customer account & credit through RBICustomer make the application, rest is automaticCorrect account number and IFSC code of the Bank branchMoney will return within 2 hours, if not credited.RTGS informationAmount to be remittedCustomer account numberName of beneficiary BankName of beneficiaryAccount number of BeneficiaryIFSC CodeType of accountRTGS TechnologyRouted through INFINETSFMS formats are used for messagesRBI CBS used mainframe to handle the systemInter Bank Fund Transfer Processor (IFTP) & Integrated Accounting System of RBI used.Message in standard MQ series software of IBMRTGS Client software is participant interface-PIPI processes the inward and outward messagesIFTP transmit it to RTGS of RBIFrom RBI it will travel to destination Bank in the same way.

RTGS

RTGS Message FlowParticipant InterfaceInter Bank Fund Transfer Processor at RBIRTGS System at RBICommunication SystemsEncryption Process of TransactionsPI Interface- Gateway Module- Outward Message Manager at OMM server- Inward Message Manager at IMM serverUser Control ToolSettlementRTGS

THANK YOU VERY VERY MUCH