Entire India is into turbulence with the latest banking fraud. All print media, news channels, internet are discussing on the same topic and some kind of panic situations are spreading across. Security breaches are very common; but this time something ‘Worst’ has happened. Yes, this biggest financial data breach has affected 32 lakh debit cards. As a result of this, banks have blocked their ATM cards, without any advance notice. But these kind of attacks are not new or unusual. With the increasing trend of Internet connectivity, online shopping (e-commerce), mobile wallet usage, IoT (Internet of Things), these kind of threats are bound to increase due to casual approach to the situations. We tend to be highly technical, keep on spending money on high end appliances, softwares and intent to forget basics without applying common sense.
The approach to the situations are always reactive. The moment some attack place, the entire echo system works towards protection of the same forgetting in the near future the hacker will come back with a new strategy instead of repeating the same method. The success of the story lies in continuation, blending between people-process-tools (technology), synchronized approach of different hardware/softwares instead of running in silos. The core problems lies in outsourcing in multiple layers and several layers who always declines to own responsibility. In the whole chain the accountability, ownership completely missing. Think of Indian banking threats, Bangladesh cyber-attacks where the incidents were suppressed by the authorities for months so that the ripples in the community floats lesser. Imagine if the compromise of data, the impact of the loss could be known to the common man beforehand, they could have more cautious and more impacts could be avoided.
First and foremost important factor is framing policy, law and enforcement of the same by government so that Banks (their downstream providers), BFSI organizations, 3rd party payment gateways, money wallets are to be bound strictly by compliance, governance and penalty clauses in case of defaulters. The debit card or credit card protections strategies are already internationally benchmarked by PCI-DSS framework with below subsets:
- Security Information and Event Management (SIEM)
- Vulnerability Assessment
- Data Leakage Protection (DLP)
- File Integrity Monitoring (FIP)
- Host Intrusion Prevention (HIPS)
- Web Content Filtering
- End point Encryption
- Web Application Firewall (WAF)
- Endpoint Security
- Penetration Testing (PT)
- Privilege Account Management (PAM)
- Identity Management (IDM)
Information Security is covered under ISO 27001:2013, IT Service is covered under ISO 20000, Business Continuity under ISO 22301:2012, Risk management by ISO 31000, Software industries are covered by CMMI compliances. Hence following the standards and enforcements by the authorities will enhance the situations.
Moreover periodic monitoring of infrastructure, security infra, co-relation and reporting, vulnerability assessment, penetration testing, proactive measures before a threat occurrence will minimize the chances of failures.
Now what can be simple strategies by poor common man? Here are few very simple, but powerful strategies driven by common senses:
- Change ATM/Debit/Credit card pins in regular intervals.
- Link cards with mobile number, email address if not already done.
- Immediately go for chip based card, grid card and enable with two factor authentication (OTP sms/mail etc.).
- That’s not all. Avoid creating pin/password with names, surnames, date of births, anniversaries (yours/parents/spouse/children) combinations as these can be predicted very easily through your social spread. Try implementing alfa numeric passwords stitched with special character.
- Using benchmarked standard antivirus (better Total Protection) in both desktop/laptop/mobile/tablet are essential. Free or cracked software is to be avoided. Saving INR 2000 yearly may lead to some major problem.
- Any banking/ecommerce site should be used through secure site (ssl) i.e instead of “http://”, it should reflect “https://” .
- Saving online banking, ecommerce site, mail password etc to be avoided for convenience.
- Password is not be kept anywhere is writing in any form (not word, excel, cloud, printed paper, handwritten paper)
- Any non-standard games / application are to be avoided as lot of applications are being framed to sniff data.
- Latest smartphone/tablets are having application control mechanism. Please block unwanted access of all application (like contacts, sms, camera etc whichever is not relevant for that application).
- Any information related to password, pin are not to be floated through mail, WhatsApp etc. so that there are chances to have repository.
- International transactions which does to imply two factor authentication (i.e only CVV applies), we should avoid transacting there except renowned players (here government should also force Master/VISA to relook at policies and enforce two factors as well).
These are not all. There are lot more in these arena. I was discussing on this subject in few television channels last few days and thought of writing few basic tips for common man as lot of people requested me.
We will be discussing and brainstorming in depth in our upcoming Conference Infocon and we will be coming a Printed Magazine on same context as one of it’s first kind.
We will be discussing for technology oriented knowledge sharing on targeted attacks like ransomware, APT (advance persistent attack), cyber forensics etc.
Stay tuned for more excitement on 18th November, 2016 at CII Suresh Neotia Centre of Excellence, Saltlake.