Using Automated Banking Certificates to Detect Unauthorised Financial Transactions
New or emerging technologies such as e-services, e-/m-commerce, Cyber-payment, mobile banking and pay-as-you-go insurance services are opening up new avenues for criminals to commit computer-related financial fraud and online abuse. This serious situation has been evidenced by the UK Information Security Breach Survey 2004 and the UK National Hi-Tech Crime Unit’s recent report, “Hi-Tech Crime: The Impact On UK Business”. It highlights that online financial fraud is one of the most serious e-crimes and takes the lion’s share of over 60% of e-crime costs, and most of the financial fraud cases are committed by authorised insiders. Authorised insiders can more easily break the security barrier of a bank or a financial institution due to their operating privileges on the banking automated systems. Failure to detect such cases promptly can lead to (sometimes huge) financial loses and damage the reputation of financial institutions. This paper introduces a real-time fraud detection solution – the Transaction Authentication Service (TAS) – to tackle the problem of transaction manipulation by authorised insiders. The paper also introduces an important building block used in the design of TAS, Automated Banking Certificates (ABCs).
KeywordsData integrity financial fraud Insider threats Security architecture
Unable to display preview. Download preview PDF.
- 2.Bank for International Settlements, Risk Management Priciples for electronic Banking, found on (January 2006), at http://www.bs.org/publ/bcbs98.htm
- 3.Corzo, C., Zhang, N.: Towards a real-time solution to the security threats posed by authorised insiders. In: Proceedings of the ECIW 2004: The 3rd European conference on information warfare and security, Royal Holloway, University of London, UK, June 28-29, 2004, pp. 51–60 (2004)Google Scholar
- 4.Damgard, I.: Collision free hash functions and public key signatures. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
- 5.Damgard, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
- 6.Davies, D.W., Price, W.L.: The application of digital signatures based on public-key cryptosystems. In: Proc. Intl. Computer Communications Conference, October 1980, pp. 525–530 (1980)Google Scholar
- 8.Diffie, W.: Ten first years of public key cryptography. In: Proceedings of the IEEE, 76th edn., pp. 560–577 (May 1988)Google Scholar
- 10.Haber, S., Stornetta, W.: How to time-stamp a digital document. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 437–455. Springer, Heidelberg (1991)Google Scholar
- 12.Merkle, R.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
- 13.Muñoz, J., Forbe, J., Esparza, O.: Certificate revocation system implementation based on the Merkle hash tree. Journal of Information Security 2(2) (2004)Google Scholar
- 15.Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21(2) (February 1978)Google Scholar
- 16.Tsudik, G.: Message authentication with one-way hash functions. In: Eleventh Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 2055–5059. IEEE, Los Alamitos (1992)Google Scholar
- 18.Rivest, R.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar