17 September 2014

Innovation and vision

Vishwanath Thanalapatti - Risk Management Professional

20 | posts 78,705 | views 11 | comments

Internal Auditors in Financial Services

This community aims to provide related links, resources and news references, and to develop a forum for internal auditors to exchange views on various related items.
A post relating to this item from Finextra:

Hackers nab 500,000 Oz credit card numbers

17 August 2012  |  7487 views  |  2
Aussie police say that hackers targeting merchant computer systems may have stolen half a million credit card numbers and racked up A$25 million in fraudulent transactions.

NFC to POS -- Check and mate: The end game for key loggers

20 August 2012  |  3772 views  |  2

I am not at all surprised at this.  It is sub judice even to discuss what the investigation will reveal; yet I will risk my last cent if it is not an ‘inside job’ with the connivance of the POS folks. It was the butler after all.

The phrase ’information security’ on google search  throws up  874,000,000 results (0.17 seconds) and the phrase ‘key logger’ 4,690,000 results (0.21 seconds).  It is safe to conclude the world is aware of information security and key logging.  We have the global population merrily using keyboards for password keying in without much of a thought as this reveals.

I have done internet banking transactions in Canada and India. I see it is much safer in India as compared with Canada.  One simple example, on the log-in page the user has an option to select the virtual keyboard to input the user ID and password, a sure protection against ‘key loggers’.  I have this noted in my book under the section ‘Trifles that matter’.  My canadian bank still believes keyboard is the 'way in' for internet banking.

Extending this logic each POS or ATMs or internet banking page can have a virtual keyboard as an option. Alternately each transaction that requires to key in password can have a 2 factor authentication. One, the password itself; in conjunction a ‘One Time password’ send by way of an SMS that together will approve the transaction.  This can be be a 3 digit randomly generated alpha-numeric key. A more secure option is to shuffle the virtual keyboard from the standard ‘QWERTY’ for each access event.  These are all classic examples in the existing paradigm.

A shift in paradigm is a necessity.  We do have the technology available and it is ubiquitous. You guessed it right the first time. Yes! It is NFC.  Google Wallet 2.0 (if I may so call it) is perfect to stymie the growing global community of ‘key loggers’. I am talking about the front end virtual card with the ‘real’ cards linked in the background.  This will ensure privacy and security.  The ‘secure element’ that google talks about I am sure is a good safeguard guaranteeing privacy.  A quick adoption to this technology will create a welcome unemployment in the ‘keyloggers’ industry.  

 

TagsSecurityOnline banking

Comments: (3)

Gerhard Schwartz - Hewlett-Packard - | 22 August, 2012, 08:24

Today's smartphones are at least as vulnerable as PC's are, when facing "unemployment" keyloggers will quickly adapt to the new target platform. Virtual keyboards aren't the panacea either, there are some trojans that can read those too ...

Vishwanath Thanalapatti - Risk Management Professional - Toronto, Canada | 22 August, 2012, 15:15

I agree with you there. Nothing is secure in the long run. In this cat and mouse game staying ahead matters. As we speak we have NFC and Virtual key boards that are dynamic and context based that are relatively safer. Surely not for ever though. Relevant technology at that point in time will probabaly have a solution.    

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 August, 2012, 18:58

I've seen some banks in the UK who used to support virtual keyboards on their Internet Banking login screens have now removed them. Could it be because virtual keyboards are more vulnerable to "looking over the shoulder" threat vector?

If the threat of keylogging is really so serious, the Indian regulation imposing 2FA for each and every - not just high-value - CNP transaction is somewhat counterproductive. At least, it appears so based on the precedent of the PATCO v. OCEAN BANK ACH fraud lawsuit in the USA, where the court of appeals found in favor of the plaintiff. One of the major factors that went against the bank was its decision to lower the threshold of its Q&A challenge from US$ 1000 to US$ 1. The bank thought it was improving security  by doing this. But, the court ruled that, with rampant keylogging, keyloggers got many more opportunities to harvest the right answers with a lower threshold! Yet another example of "unintended consequences", I guess...

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Vishwanath

The I in the brIc: Vision for Financial Inclusion

12 July 2014  |  2079 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Digital is not all Mobile and Online Banking

06 July 2014  |  2280 views  |  0  |  Recommends 1 TagsMobile & onlineInnovationGroupInnovation in Financial Services

Stretching Financial Inclusion

06 June 2014  |  2583 views  |  0  |  Recommends 0 TagsMobile & onlineInnovation
name

Vishwanath Thanalapatti

job title

Risk Management Professional

company name

Risk Management Professional

member since

2011

location

Toronto, Canada

Summary profile See full profile »

Vishwanath's expertise

What Vishwanath reads
Vishwanath writes about

Who is commenting on Vishwanath's posts