Usn / 22.05.2024

Bank information security protection measures. Information security in a bank: ib in banks. Protection of information in electronic payment Internet systems

Banking activities have always been associated with the processing and storage of large amounts of confidential data. First of all, this is personal data about clients, their deposits and all operations performed.

All commercial information stored and processed in credit institutions is subject to a wide variety of risks associated with viruses, hardware failure, operating system failures, etc. But these problems are not capable of causing any serious damage. Daily data backup, without which the operation of any enterprise’s information system is unthinkable, reduces the risk of irretrievable loss of information to a minimum. In addition, methods of protection against the listed threats are well developed and widely known. Therefore, the risks associated with unauthorized access to confidential information (NCI) come to the fore.

Unauthorized access is a reality

Today, there are three most common ways to steal confidential information. Firstly, physical access to the places of its storage and processing. There are many options here. For example, attackers can break into a bank office at night and steal hard drives with all the databases. Even an armed raid is possible, the purpose of which is not money, but information. It is possible that a bank employee himself may take the information carrier outside the territory.

Secondly, use backups. In most banks, backup systems for important data are based on tape drives. They record the copies they create onto magnetic tapes, which are then stored in a separate location. Access to them is regulated much more leniently. During their transportation and storage, a relatively large number of people can make copies of them. The risks associated with backing up sensitive data should not be underestimated. For example, most experts are confident that the databases of transactions of the Central Bank of the Russian Federation, which went on sale in 2005, were stolen precisely thanks to copies taken from magnetic tapes. There are many similar incidents known in world practice. In particular, last September, employees of Chase Card Services (a division of JPMorgan Chase & Co.), a credit card provider, mistakenly threw away five magnetic tapes containing backup copies containing information on 2.6 million Circuit City credit account holders.

Thirdly, the most likely way of leaking confidential information is unauthorized access by bank employees. When using only standard operating system tools to separate rights, users often have the opportunity to indirectly (with the help of certain software) completely copy the databases they work with and move them outside the company. Sometimes employees do this without any malicious intent, just to work with the information at home. However, such actions are a serious violation of security policy and they can become (and do!) cause confidential data to be made public.

In addition, in any bank there is a group of people who have elevated privileges on the local network. We are talking about system administrators. On the one hand, they need it to perform their official duties. But, on the other hand, they have the opportunity to gain access to any information and “cover their tracks.”

Thus, the system for protecting banking information from unauthorized access must consist of at least three subsystems, each of which provides protection against its own type of threats. These are a subsystem for protecting against physical access to data, a subsystem for ensuring the security of backup copies, and a subsystem for protecting against insiders. And it is advisable not to neglect any of them, since each threat can cause the disclosure of confidential data.

Isn't there a law for banks?

Currently, the activities of banks are regulated by the federal law “On Banks and Banking Activities”. It, among other things, introduces the concept of “bank secrecy”. According to it, any credit institution is obliged to ensure the confidentiality of all data on customer deposits. She bears responsibility for their disclosure, including compensation for damage caused by the leak of information. At the same time, there are no requirements for the security of banking information systems. This means that banks make all decisions on the protection of commercial data independently, based on the experience of their specialists or third-party companies (for example, performing information security audits). The only recommendation is the standard of the Central Bank of the Russian Federation “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions". It first appeared in 2004, and in 2006 a new version was adopted. When creating and finalizing this departmental document, current Russian and international standards in the field of information security were used.

The Central Bank of the Russian Federation can only recommend it to other banks, but cannot insist on mandatory implementation. In addition, the standard contains few clear requirements guiding the selection of specific products. It is certainly important, but at the moment it has no serious practical significance. For example, about certified products it says this: “... certified or approved means of protecting information from unauthorized access can be used.” There is no corresponding list.

The standard also lists the requirements for cryptographic means of protecting information in banks. And here there is already a more or less clear definition: “CIPF... must be implemented on the basis of algorithms that comply with the national standards of the Russian Federation, the terms of the agreement with the counterparty and (or) the standards of the organization.” Compliance of the cryptographic module with GOST 28147-89 can be confirmed through certification. Therefore, when using encryption systems in a bank, it is advisable to use software or hardware crypto providers certified by the FSB of the Russian Federation, that is, external modules that connect to the software and implement the encryption process itself.

In July last year, the Federal Law of the Russian Federation “On Personal Data” was adopted, which came into force on January 1, 2007. Some experts associated it with the emergence of more specific requirements for banking security systems, since banks are organizations that process personal data. However, the law itself, which is certainly very important in general, is not applicable in practice today. The problem is the lack of standards for the protection of private data and bodies that could monitor their implementation. That is, it turns out that banks are currently free to choose commercial information protection systems.

Physical access protection

Banks traditionally pay very great attention to the physical security of operational branches, departments for storing valuables, etc. All this reduces the risk of unauthorized access to commercial information through physical access. However, bank offices and technical premises in which servers are located usually do not differ from the offices of other companies in terms of the level of protection. Therefore, to minimize the described risks, it is necessary to use a cryptographic protection system.

Today there are a large number of utilities on the market that encrypt data. However, the peculiarities of their processing in banks impose additional requirements on the corresponding software. First, the cryptographic protection system must implement the principle of transparent encryption. When using it, the data in the main storage is always only in encrypted form. In addition, this technology allows you to minimize the costs of regular work with data. They do not need to be decrypted and encrypted every day. Access to information is carried out using special software installed on the server. It automatically decrypts information as it is accessed and encrypts it before writing it to your hard drive. These operations are performed directly in the server's RAM.

Secondly, banking databases are very large. Thus, a cryptographic information protection system must work not with virtual, but with real partitions of hard drives, RAID arrays and other server storage media, for example, SAN storage. The fact is that container files that can be connected to the system as virtual disks are not designed to work with large amounts of data. In the case when the virtual disk created from such a file is large, when accessing it simultaneously even by several people, you can observe a significant decrease in the speed of reading and writing information. The work of several dozen people with a large container file can turn into sheer torture. In addition, you need to consider that these objects are at risk of damage due to viruses, file system failures, etc. After all, in essence, they are ordinary files, but quite large in size. And even a slight change in them can make it impossible to decode all the information contained in it. Both of these mandatory requirements significantly narrow the range of products suitable for implementing protection. In fact, today there are only a few such systems on the Russian market.

There is no need to consider in detail the technical features of server systems for cryptographic information protection, since in one of the previous issues we have already compared these products. (Stolyarov N., Davletkhanov M. UTM protection.) But it is worth noting some features of such systems, the presence of which is desirable for banks. The first is related to the already mentioned certification of the cryptographic module used. Most banks already have the appropriate software or hardware. Therefore, a server-based information security system must provide for the possibility of connecting and using them. The second special requirement for an information security system is the ability to integrate into the physical security system of an office and/or server room. This allows you to protect information from unauthorized access due to theft, hacking, etc.

Banks should pay special attention to the safety of information, since it is actually the clients’ money. Therefore, the security system must have special capabilities that minimize the risk of its loss. One of the most noticeable is the function of detecting bad sectors on the hard drive. In addition, the ability to pause and cancel the initial disk encryption, decryption, and re-encryption processes is of great importance. These are quite lengthy procedures, any failure during which threatens the complete loss of all data.

The human factor has a very large influence on the risks associated with unauthorized access to confidential information. It is therefore desirable that the security system be capable of reducing such coupling. This is achieved by using reliable means of storing encryption keys - smart cards or USB keys. The inclusion of these tokens in the product is optimal; it allows not only to optimize costs, but also ensures full compatibility of software and hardware.

Another important function that allows minimizing the influence of the human factor on the reliability of the security system is key quorum. Its essence is to divide the encryption key into several parts, each of which is given to the use of one responsible employee. To connect a closed drive, a specified number of parts are required. Moreover, it may be less than the total number of key parts. This approach allows you to protect data from misuse by responsible employees, and also provides the flexibility necessary for the bank’s work.

Backup protection

Regular backup of all information stored in the bank is an absolutely necessary measure. It allows you to significantly reduce losses in the event of problems such as data corruption by viruses, hardware failure, etc. But at the same time, it increases the risks associated with unauthorized access. Practice shows that the media on which backup copies are recorded should be stored not in the server room, but in another room or even building. Otherwise, if a fire or other serious incident occurs, both the data itself and its archives may be irretrievably lost. It is possible to reliably protect backup copies from unauthorized use only with the help of cryptography. In this case, by keeping the encryption key at home, the security officer can safely transfer media with archives to technical personnel.

The main difficulty in organizing cryptographic protection of backup copies is the need to separate responsibilities for managing data archiving. The system administrator or other technical employee must configure and implement the backup process itself. The encryption of information must be managed by a responsible employee - a security officer. It is necessary to understand that reservation in the vast majority of cases is carried out automatically. This problem can only be solved by “building in” a cryptographic protection system between the backup management system and the devices that record data (streamers, DVD drives, etc.).

Thus, in order for cryptographic products to be used in banks, they must also be able to work with various devices used to record backup copies on storage media: tape drives, CD and DVD drives, removable hard drives, etc.

Today, there are three types of products designed to minimize the risks associated with unauthorized access to backup copies. The first includes special devices. Such hardware solutions have many advantages, including reliable encryption of information and high speed. However, they have three significant drawbacks that prevent their use in banks. First: very high cost (tens of thousands of dollars). Second: possible problems with import into Russia (we must not forget that we are talking about cryptographic means). The third disadvantage is the inability to connect external certified crypto providers to them. These boards only work with encryption algorithms implemented in them at the hardware level.

The second group of backup cryptographic protection systems consists of modules that backup software and hardware developers offer their clients. They exist for all the most well-known products in this area: ArcServe, Veritas Backup Exec, etc. True, they also have their own characteristics. The most important thing is to work only with “your” software or drive. Meanwhile, the bank's information system is constantly evolving. And it is possible that replacing or expanding a backup system may require additional costs for modifying the protection system. In addition, most products in this group implement old, slow encryption algorithms (for example, 3DES), there are no key management tools, and there is no ability to connect external crypto providers.

All this forces us to pay close attention to cryptographic protection systems for backup copies from the third group. It includes specially developed software, hardware and software products that are not tied to specific data archiving systems. They support a wide range of information recording devices, which allows them to be used throughout the bank, including all its branches. This ensures uniformity of protective equipment used and minimizes operating costs.

However, it is worth noting that, despite all their advantages, there are very few products from the third group on the market. This is most likely due to the lack of great demand for cryptographic backup protection systems. As soon as the management of banks and other large organizations realizes the reality of the risks associated with archiving commercial information, the number of players in this market will increase.

Protection from insiders

Recent studies in the field of information security, such as the annual CSI/FBI Computer Crime And Security Survey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiderism around the world. The heads of most banks are well aware of the dangers of, for example, a database with personal data of their clients or, moreover, transactions on their accounts falling into the hands of criminal structures. And they are trying to combat the possible theft of information using organizational methods available to them.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, cell phone, mp3 player, digital camera... Of course, you can try to prohibit all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - a bank is not a “mailbox”. And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying important information to it. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use various ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex access rights distribution policies.

For example, you might want to allow some employees to use any printers or scanners connected to USB ports. However, all other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the insider protection system must be able to integrate with the bank’s information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Let's sum it up

So, today there are products on the market with the help of which any bank can organize a reliable system for protecting information from unauthorized access and misuse. True, when choosing them you need to be very careful. Ideally, this should be done by in-house specialists of the appropriate level. The use of services from third party companies is permitted. However, in this case, a situation is possible when the bank is skillfully imposed not with adequate software, but with one that is beneficial to the supplier company. In addition, the domestic market for information security consulting is in its infancy.

Meanwhile, making the right choice is not at all difficult. It is enough to arm yourself with the criteria we have listed and carefully study the security systems market. But there is a pitfall here that needs to be remembered. Ideally, the bank’s information security system should be unified. That is, all subsystems must be integrated into the existing information system and, preferably, have common management. Otherwise, increased labor costs for administering protection and increased risks due to management errors are inevitable. Therefore, to build all three protection subsystems described today, it is better to choose products released by one developer. Today in Russia there are companies that create everything necessary to protect banking information from unauthorized access.

Banks and everything with them
related - have always been a target for everyone
kind of scammers. Nowadays these
fraud related to electronic
crime. And I, as a person who
trying to prevent them, I would like a little
highlight this issue and debunk the myth about
lone hacker - penetrating banking
system and receiving FULL access to it
information resources.

First, let's look at
security issue
computing complex. Under
understand the security of the system -
ability to resist attempts
penetration, unauthorized access, obtaining rights and
privileges, as well as the destruction or
distortion of information. There are more of us
interested in internal security, i.e.
ensuring the functioning of the system in
normal operation and ensuring integrity,
security and confidentiality
information.

Analyzing the list
existing threats - can be determined
main directions of banking protection
systems:

Physical protection. Those.
protection of equipment from mechanical
damage, theft, installation of special
equipment for electromagnetic
removal
Protection against NSD.
Electronic protection
document flow. Those. encryption with
public key of all significant
electronic correspondence.
Antivirus protection.
Installation of the complex
specialized software
provision for prevention
penetration into a computer network
malware.

Having figured out what
such safety and having decided on
let's move on to the significance of the issue of ensuring it
to lighting of electronic protection equipment
systems

To the means of protection
include software, hardware and
hardware and software systems.

According to its characteristics
the most reliable protection system allows
implement only hardware and hardware -
software. This is due to the fact that
that these systems most often
specialized, that is, performing
certain functions, which is great
advantage, because protect or
test specialized
the device is much simpler than
universal. Another advantage
specialized systems is that
they allow physically and logically
isolate blocks with critical
information. In addition, programmatically -
hardware systems provide reliable
protection against modification, removal or theft
information by system programmers or
highly qualified personnel.
Usually in software and hardware
security
Erasing function provided
secret information when trying
physical penetration into the equipment room
part of the system.

Taking into account also
economic efficiency of the system
security, are more often used
only software, because price
specialized hardware modules -
quite high. Using
software, you get very
flexible, providing a sufficient level
protection, and at the same time insignificant
cost of software maintenance
complexes (in comparison with hardware,
system. Another important
advantage of software implementation
protection - is the possibility of changing it
towards complication or simplification, in
depending on supply needs
security.

Using software
the following funds can be implemented
methods of protection:

Cryptographic
transformation .
Those. encryption of information. The most
common methods are DES
and RSA. DES- DATA ENCRIPTION STANDARD - this standard
cryptographic conversion
data developed by IBM for
own needs, but later became
US federal standard. DES algorithm
widely used all over the world,
is open source and has been published. He
easy to understand, uses a method
protection that is key based and not
depends on the degree of "secrecy"
algorithm. RSA- for now
is the most promising method, because
does not require key transfer
encryption for other users.
Cryptographic modification of data
carried out by the first public key,
and information recovery occurs
using the second secret key.
The main application of RSA at the moment is
protection of electronic document management. IN
as an example we can cite
SSL (Secure Sockets Layer) protocol, which guarantees
secure data transfer over the network. SSL
combines cryptographic system
public key and block encryption
data. The only drawback
the RSA algorithm is that it is not up to
the end has been studied and there is no 100% guarantee
its reliability.
Authentication
users .
Those. checking the correctness of the entered
user registration
login information.
Used to force
application of electoral rights of access to
information resources and rights to
performing operations in the system.
Demarcation
rights and privileges of users on
access to information resources .
Control
information integrity, antivirus
protection, audit. Those.
activity tracking
users and software working in the system
by registering predefined
types of events in the system log
security, as well as fulfillment
certain responses or
prohibition of execution.
Observation of
operation of information security systems,
both software and hardware .
Those. implementation of controls and
control of protective mechanisms
security systems.
Reserve
copying and later
data recovery .
Firewall (firewall)
- a system or combination of systems,
creating a protective barrier between the two
or a large number of networks and
preventing intrusion into private
net. Firewalls serve as virtual
barriers to transmitting packets from one
networks to another.

The main disadvantage
protection systems built on the basis only
software systems is
the possibility of their analysis during NSD. IN
as a result of which it cannot be excluded
possibility of developing methods
overcoming a complex of software tools
security or
modifications.

To be continued...

Unauthorized access is a reality

Isn't there a law for banks?

Physical access protection

Backup protection

Protection from insiders

Let's sum it up

The data bank is part of any automated system such as CAD, automated control system, process control system, etc. The task of the data bank is to maintain the information model in an extremely important state and to meet user requests. This requires that three operations be performed on the data bank: include, delete, change. These operations provide storage and modification of data.

With the development of an automated system, the composition of objects in the subject area changes, and the connections between them change. All this should be reflected in the information system. Thus, the organization of the data bank must be flexible. We will show the place of the data bank in the automated system.

When designing a data bank, it is extremely important to consider two aspects of supporting user requests.

1) Determining the boundaries of a specific subject area and developing an information model. Note that the data bank must provide information to the entire system both in the present and in the future, taking into account its development.

2) The development of a data bank should be focused on effectively servicing user requests. In this regard, it is extremely important to analyze the types and types of user requests. It is also extremely important to analyze the functional tasks of the automated system for which this bank will be a source of information.

Users of the data bank differ according to the following characteristics:

· based on constant communication with the bank.

Users : permanent And one-time ;

· according to the clearance level. Some data must be protected;

· according to the form of request submission. Requests can be made by programmers, non-programmers, or task users.

Due to the great heterogeneity of users, the data bank provides a special tool that allows you to bring all queries to a single terminology. This means is usually called data dictionary.

Let's highlight primary requirements which must be answered data bank from external users . The data bank should:

1. Provide the ability to store and modify large volumes of multidimensional information. Meet current and emerging user requirements.

Ensure specified levels of reliability and consistency of stored information.

3. Provide access to data only to those users who have the appropriate authority.

4. Provide the ability to search for information based on an arbitrary group of characteristics.

5. Meet specified performance requirements when processing queries.

6. Be able to reorganize and expand when the boundaries of the subject area change.

7. Provide information to the user in various forms.

8. Provide the ability to simultaneously service a large number of external users.

To meet these requirements, it is essential to introduce centralized data management.

Let's highlight main advantages of centralized management data compared to previously used collateral.

1) Reducing redundancy of stored data. Data that is used by several applications is structured (integrated) and stored in a single copy.

2) Elimination of inconsistencies in stored data. Due to the non-redundancy of data, the situation is eliminated when, when the data is actually changed, it does not seem to have been changed in all records.

3) Multidimensional use of data when entering it once.

4) Comprehensive optimization based on analysis of user requirements. Data structures are selected that provide the best service.

5) Ensuring the possibility of standardization. This facilitates data exchange with other automated systems, as well as data control and recovery procedures.

6) Ensuring the possibility of authorized access to data, ᴛ.ᴇ. availability of data protection mechanisms.

It should be emphasized that the main problem of centralized data management is ensuring the independence of application programs from data. This is explained by the fact that data integration and optimization of data structures require changes in the stored data representation and data access method.

Conclusion: The main distinguishing feature of a data bank is the presence of centralized data management.

Chapter 1. Features of information security of banks.

Order of Rosstandart dated March 28, 2018 No. 156-st “On approval of the national standard of the Russian Federation”

Order of Rosstandart of August 8, 2017 No. 822-st “On approval of the national standard of the Russian Federation”

The main goals of implementing the Standard “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions" STO BR IBBS-1.0 (hereinafter referred to as the Standard):

increasing confidence in the banking system of the Russian Federation;
increasing the stability of the functioning of organizations of the banking system of the Russian Federation and, on this basis, the stability of the functioning of the banking system of the Russian Federation as a whole;
achieving the adequacy of measures to protect against real threats to information security;
preventing and/or reducing damage from information security incidents.

Main objectives of the Standard:

establishment of uniform requirements for ensuring information security of organizations of the banking system of the Russian Federation;
increasing the efficiency of measures to ensure and maintain information security of organizations of the banking system of the Russian Federation.

Protection of information in electronic payment Internet systems

Internet payment system is a system for conducting payments between financial, business organizations and Internet users in the process of buying/selling goods and services via the Internet. It is the payment system that allows you to turn an order processing service or an electronic storefront into a full-fledged store with all the standard attributes: by selecting a product or service on the seller’s website, the buyer can make a payment without leaving the computer.

In an e-commerce system, payments are made subject to a number of conditions:

1. Maintaining confidentiality. When making payments via the Internet, the buyer wants his data (for example, credit card number) to be known only to organizations that have the legal right to do so.

2. Maintaining the integrity of information. Purchase information cannot be changed by anyone.

3. Authentication. Buyers and sellers must be confident that all parties involved in a transaction are who they say they are.

4. Means of payment. Possibility of payment using any means of payment available to the buyer.

6. Seller's risk guarantees. When trading on the Internet, the seller is exposed to many risks associated with product refusals and buyer dishonesty. The magnitude of the risks must be agreed upon with the payment system provider and other organizations included in the trading chain through special agreements.

7. Minimizing transaction fees. Transaction processing fees for ordering and paying for goods are naturally included in their price, so lowering the transaction price increases competitiveness. It is important to note that the transaction must be paid in any case, even if the buyer refuses the goods.

All these conditions must be implemented in the Internet payment system, which, in essence, are electronic versions of traditional payment systems.

Thus, all payment systems are divided into:

Debit (working with electronic checks and digital cash);

Credit (working with credit cards).

Debit systems

Debit payment schemes are built similarly to their offline prototypes: check and regular money. The scheme involves two independent parties: issuers and users. The issuer is understood as the entity that manages the payment system. It issues some electronic units that represent payments (for example, money in bank accounts).

Information security of organizations of the banking system of the Russian Federation

System users perform two main functions. They make and accept payments on the Internet using issued electronic units.

Electronic checks are analogous to regular paper checks. These are the payer's instructions to his bank to transfer money from his account to the payee's account. The operation occurs upon presentation by the recipient of the check at the bank. There are two main differences here. Firstly, when writing a paper check, the payer puts his real signature, and in the online version - an electronic signature. Secondly, the checks themselves are issued electronically.

Payments are made in several stages:

1. The payer issues an electronic check, signs it with an electronic signature and forwards it to the recipient. For greater reliability and security, the checking account number can be encrypted with the bank's public key.

2. The check is presented to the payment system for payment. Next, (either here or at the bank serving the recipient) the electronic signature is verified.

3. If its authenticity is confirmed, the goods are delivered or the service is provided. Money is transferred from the payer's account to the recipient's account.

The simplicity of the payment scheme (Fig. 43), unfortunately, is offset by the difficulties of its implementation due to the fact that check schemes have not yet become widespread and there are no certification centers for the implementation of electronic signatures.

An electronic digital signature (EDS) uses a public key encryption system. This creates a private key for signing and a public key for verification. The private key is stored by the user, and the public key can be accessed by everyone. The most convenient way to distribute public keys is to use certification authorities. Digital certificates containing the public key and information about the owner are stored there. This frees the user from the obligation to distribute his public key himself. In addition, certificate authorities provide authentication to ensure that no one can generate keys on behalf of another person.

Electronic money completely simulates real money. At the same time, the issuing organization - the issuer - issues their electronic analogues, called differently in different systems (for example, coupons). Next, they are purchased by users, who use them to pay for purchases, and then the seller redeems them from the issuer. When issued, each monetary unit is certified by an electronic seal, which is verified by the issuing structure before redemption.

One of the features of physical money is its anonymity, that is, it does not indicate who used it and when. Some systems, by analogy, allow the buyer to receive electronic cash in such a way that the connection between him and the money cannot be determined. This is done using a blind signature scheme.

It is also worth noting that when using electronic money, there is no need for authentication, since the system is based on the release of money into circulation before its use.

Figure 44 shows a payment scheme using electronic money.

The payment mechanism is as follows:

1. The buyer exchanges real money for electronic money in advance. Storing cash with the client can be carried out in two ways, which is determined by the system used:

On the computer's hard drive;

On smart cards.

Different systems offer different exchange schemes. Some open special accounts to which funds from the buyer’s account are transferred in exchange for electronic bills. Some banks may issue electronic cash themselves. At the same time, it is issued only at the request of the client, followed by its transfer to the computer or card of this client and the withdrawal of the cash equivalent from his account. When implementing a blind signature, the buyer himself creates electronic bills, sends them to the bank, where, when real money arrives in the account, they are certified by a seal and sent back to the client.

Along with the convenience of such storage, it also has disadvantages. Damage to a disk or smart card results in irreversible loss of electronic money.

2. The buyer transfers electronic money for the purchase to the seller’s server.

3. The money is presented to the issuer, who verifies its authenticity.

4. If the electronic bills are genuine, the seller’s account is increased by the purchase amount, and the goods are shipped to the buyer or the service is provided.

One of the important distinguishing features of electronic money is the ability to make micropayments. This is due to the fact that the denomination of the banknotes may not correspond to real coins (for example, 37 kopecks).

Both banks and non-banking organizations can issue electronic cash. However, a unified system for converting different types of electronic money has not yet been developed. Therefore, only the issuers themselves can redeem the electronic cash they issued. In addition, the use of such money from non-financial structures is not guaranteed by the state. However, the low transaction cost makes electronic cash an attractive tool for online payments.

Credit systems

Internet credit systems are analogues of conventional systems that work with credit cards. The difference is that all transactions are carried out via the Internet, and as a result, the need for additional security and authentication measures.

The following are involved in making payments via the Internet using credit cards:

1. Buyer. A client with a computer with a Web browser and Internet access.

2. Issuing bank. The buyer's bank account is located here. The issuing bank issues cards and is the guarantor of the client’s financial obligations.

3. Sellers. Sellers are understood as E-Commerce servers where catalogs of goods and services are maintained and customer purchase orders are accepted.

4. Acquiring banks. Banks serving sellers. Each seller has a single bank in which he keeps his current account.

5. Internet payment system. Electronic components that act as intermediaries between other participants.

6. Traditional payment system. A set of financial and technological means for servicing cards of this type. Among the main tasks solved by the payment system is ensuring the use of cards as a means of payment for goods and services, the use of banking services, conducting mutual offsets, etc. Participants in the payment system are individuals and legal entities united through the use of credit cards.

7. Payment system processing center. An organization that provides information and technological interaction between participants in the traditional payment system.

8. Settlement bank of the payment system. A credit organization that carries out mutual settlements between payment system participants on behalf of the processing center.

The general payment scheme in such a system is shown in Figure 45.

1. The buyer in the electronic store creates a basket of goods and selects the payment method “credit card”.

Through the store, that is, the card parameters are entered directly on the store’s website, after which they are transferred to the Internet payment system (2a);

On the payment system server (2b).

The advantages of the second way are obvious.

In this case, information about the cards does not remain in the store, and, accordingly, the risk of receiving them by third parties or being deceived by the seller is reduced. In both cases, when transferring credit card details, there is still a possibility of them being intercepted by attackers on the network. To prevent this, data is encrypted during transmission.

Encryption, naturally, reduces the possibility of data interception on the network, so it is advisable to carry out communications between buyer/seller, seller/Internet payment system, buyer/Internet payment system using secure protocols. The most common of them today are the SSL (Secure Sockets Layer) protocol, as well as the SET (Secure Electronic Transaction) standard, designed to eventually replace SSL when processing transactions related to payments for credit card purchases on the Internet.

3. The Internet payment system transmits an authorization request to the traditional payment system.

4. The next step depends on whether the issuing bank maintains an online database of accounts. If there is a database, the processing center sends the issuing bank a request for card authorization (see introduction or dictionary) (4a) and then (4b) receives its result. If there is no such database, then the processing center itself stores information about the status of cardholders’ accounts, stop lists and fulfills authorization requests. This information is regularly updated by the issuing banks.

The store provides a service or ships goods (8a);

The processing center transmits information about the completed transaction to the settlement bank (8b). Money from the buyer's account with the issuing bank is transferred through the settlement bank to the store's account with the acquiring bank.

In most cases, special software is required to make such payments.

It can be supplied to the buyer (called an electronic wallet), the seller and his servicing bank.

Previous25262728293031323334353637383940Next

SEE MORE:

In our lives, the Internet is not only a means for communication, entertainment and relaxation, but also for work, as well as for making electronic payments. Many of us use online banking services and make purchases in online stores.

Major Threats to Online Transactions

Despite the security of Internet banking systems and online stores - such protection methods as double authentication, one-time dynamic SMS password systems, an additional list of one-time passwords or hardware keys, an SSL-protected connection, and so on are used - modern attack methods make it possible to bypass even the most reliable defense mechanisms.

Today, attackers use three most common approaches to attack the financial data of Internet users:

— infection of the victim’s computer with Trojan programs (keyloggers, screenloggers, etc.) used to intercept input data;
- use of social engineering methods - phishing attacks through email, websites, social networks, etc.;
— technological attacks (sniffing, substitution of DNS/Proxy servers, substitution of certificates, etc.).

How to protect Internet banking?

The user should not rely only on the bank, but use security programs to enhance the security of electronic payments on the Internet.

Modern Internet Security solutions, in addition to antivirus functions, offer secure payment tools (isolated virtual environments for online transactions), as well as a vulnerability scanner, web protection with link checking, blocking of malicious scripts and pop-ups, data protection from interception (anti-keyloggers), virtual keyboard .

Among the comprehensive solutions with a separate function for protecting online payments are Kaspersky Internet Security and the “Safe Payments” component, avast!

Information security in banking

Internet Security with avast! SafeZone and Bitdefender Internet Security with Bitdefender Safepay. These products allow you not to worry about additional protection.

If you have a different antivirus, you can take a closer look at additional protection measures. Among them: Bitdefender Safepay (isolated web browser), Trusteer Rapport and HitmanPro.Alert to protect the browser from attacks, Netcraft Extension plugins and applications, McAfee SiteAdvisor, Adguard to protect against phishing.

Don't forget about the firewall and VPN client if you have to perform financial transactions when connecting to open wireless Wi-Fi networks in public places. For example, CyberGhost VPN uses AES 256-bit traffic encryption, which prevents an attacker from using the data, even if intercepted.

What methods of protecting online payments do you use? Share your experience in the comments.

In the banking industry, there was initially a problem related to the confidentiality of information, its storage and protection. Data security of banking institutions plays an important role in business as competitors and criminals are always interested in such information and make every effort to obtain it. To avoid this kind of problem, you need to learn how to protect your banking data. In order for the protection of banking information to be effective, it is necessary, first of all, to take into account all possible methods of information leakage. Namely: carefully check the data of people when selecting personnel, check their biographical information and previous places of work.

Information security of banking institutions

All information data processed by banking and credit organizations is at risk. This includes both customer data and data on the direct work of banks, their databases, and so on. The fact is that such information can be useful both to competitors and to individuals involved in criminal activities. Their actions, in comparison with the problems arising from viral infection of equipment or operating system failures, bring truly colossal damage to organizations of this kind.

Protecting bank servers and local networks from intruders and unauthorized access to company materials is simply necessary in the highly competitive conditions of modern society.

Information security of banking systems is important because it guarantees the confidentiality of data about bank clients. Organizations' daily backups reduce the risk of losing important information completely. In addition, methods have been developed to protect data from threats related to unauthorized access. A leak of this kind of information can occur as a result of the work of both spy services specially sent to the organization, and employees who have been working for a long time and decided to make money from the theft of the bank’s information property. Safety is ensured thanks to the work of professionals and specialists who know their business.

Customer protection is one of the most important indicators affecting the reputation of the bank as a whole, including the organization’s income. Because only good reviews will help the bank achieve a high level of service and outperform its competitors.

Unauthorized access to banking system information

One of the most common ways to steal banking information is to use a backup, remove data on a storage device, or simulate a hack, but not for the purpose of stealing material assets, but to gain access to information on the server. Since backups are typically stored in separate locations on tape drives, copies can be made while they are being transported to their destination. That is why employees who are hired for such work are carefully checked through various government agencies for criminal records, problems with the law in the past, including the reliability of the information provided about themselves. Therefore, you should not underestimate the possibility of theft of banking information, because world practice is replete with such cases.

For example, in 2005, databases of transactions of the Central Bank of the Russian Federation were put up for sale. It is possible that this information leaked outside the banking organization precisely because of the insufficient security of banking systems. A similar situation has occurred more than once in world-famous companies in the United States of America, whose information security suffered greatly from this.

Interview with the head of the bank's security service:

Moreover, another way that information can leak from systems is through bank employees eager to make money from it. Despite the fact that in most cases, unauthorized access to banking system information is done only for the purpose of gaining the opportunity to work at home, they become the reason for the dissemination of information that is confidential. In addition, this is a direct violation of the security policy of banking organizations.

It should also be taken into account that any bank employs people who have significant privileges to access such data. These are usually system administrators. On the one hand, this is a production necessity, which makes it possible to perform official duties, and on the other hand, they can use it for their own purposes and at the same time know how to professionally “cover their tracks.”

Ways to reduce the risk of information leakage

Protecting banking information from unauthorized access usually includes at least 3 components. Each of these components helps ensure bank security in the area where it is used. This includes protection from physical access, backups, and protection from insiders.

Since banks pay special attention to physical access and try to completely eliminate the possibility of unauthorized access, they have to use special tools and methods for encrypting and encoding important information. Since banks have similar systems and means for protecting data, it is better to use cryptographic security measures. They help to preserve commercial information, as well as reduce the risks of such situations. It is best to store information in encrypted form, using the principle of transparent encryption, which helps reduce the cost of protecting information and also frees you from the need to constantly decrypt and encrypt data.

Considering the fact that all banking system data is actually customer money, due attention should be paid to its safety. One way is to determine the presence of bad sectors on the hard drive. The function of canceling or pausing the process plays an important role during the initial encryption, encryption, decryption and re-encryption of the disk. This procedure takes a long time, and therefore any failure can lead to complete loss of information. The most reliable way to store encryption keys and systems is with smart cards or USB keys.

Protection of information systems is carried out more effectively through the use of not only streamers, but also removable hard drives, DVD media and other things. The integrated use of means of protection against physical penetration of information sources increases the chances of its safety and inviolability from competitors and attackers.

From this video you will learn about the measures that should be taken:

Methods for protecting information systems from insiders

Basically, information theft occurs using mobile media, various types of USB devices, disk drives, memory cards and other mobile devices. Therefore, one of the right decisions is to ban the use of such devices in the workplace. Everything that is needed is contained on the servers and is carefully monitored, where and from where information is transferred in the banking environment. In addition, in extreme cases, only media purchased by the company may be used. You can set special restrictions so that the computer will not recognize foreign media and memory cards.

Information protection is one of the most important tasks of banking organizations, necessary for effective functioning. The modern market has great opportunities to implement these plans. Blocking computers and ports is the most important condition that must be observed to ensure that systems are more securely protected.

We should not forget that those involved in data theft are also familiar with the set of systems that protect commercial information, and can bypass them with the help of specialists. To prevent the occurrence of such risks, you need to constantly work to improve security and try to use advanced protection systems.

Thesis: Automated cadastre information systems

Job description of the head of the capital construction department

Bank information security protection measures. Information security in a bank: ib in banks. Protection of information in electronic payment Internet systems