Bitcoin Forum
December 08, 2016, 08:13:52 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: How Large Bank Websites are Secured  (Read 581 times)
ryanender
Newbie
*
Offline Offline

Activity: 25


View Profile
June 21, 2011, 03:24:01 AM
 #1

The recent "flash crash" experienced by Mt. Gox has led me to discover how large, traditional banks secure their websites.  I've looked through the forums, and haven't seen anything similar.  Here's what I've discovered...

The Federal Financial Institutions Examination Council (FFIEC) InfoBase was established by Congress in 1979 to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, to make recommendations to promote uniformity in the supervision of financial institutions, and to conduct schools for examiners.

From www.ffiec.gov

Quote
The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

The FFIEC (Federal Financial Institutions Examination Council) has developed a set of "IT Booklets" outlining their standards for compliance for all aspects of banking.  IT Booklets governing "E-Banking" can be found at http://ithandbook.ffiec.gov/it-booklets/e-banking.aspx.

I'll be spending time reading through these IT Booklets over the next few days to see where Mt. Gox got it wrong.  It's almost certain they did not harden their systems to any sort of standards, but it'll help me to know how a bank does it right, and understand what is required to secure an E-Bank properly.

From the FFIEC Wiki (http://en.wikipedia.org/wiki/Federal_Financial_Institutions_Examination_Council)

Quote
FFIEC compliance is conformance to a set of standards for online banking issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC). The standards require multifactor authentication (MFA) because single-factor authentication (SFA) has proven inadequate against the tactics of increasingly sophisticated hackers, particularly on the Internet. In MFA, more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, SFA involves only a user ID and password.

Authentication methods that can be used in MFA include biometric verification such as fingerscanning, iris recognition, facial recognition and voice ID. In addition to these methods,smart cards and other electronic devices can be used along with the traditional user ID and password. The outstanding feature of the FFIEC guidelines is the requirement thatencryption be used in all online transaction processing(OLTP) done by financial institutions. The level of encryption must be sufficient to prevent unauthorized disclosure within a bank's internal networks and among shared external networks.

In order to determine whether or not an institution is in compliance with FFIEC guidelines, comprehensive assessments of the internal environment must be conducted to identify potential security weaknesses and threats. Then goals must be set, solutions implemented and periodic risk assessments performed in order to maintain an adequate level of security.

RyanEnder
12pANB1CUiJB2zYy4VZge8Qh9GETjDPo9p
1481184832
Hero Member
*
Offline Offline

Posts: 1481184832

View Profile Personal Message (Offline)

Ignore
1481184832
Reply with quote  #2

1481184832
Report to moderator
1481184832
Hero Member
*
Offline Offline

Posts: 1481184832

View Profile Personal Message (Offline)

Ignore
1481184832
Reply with quote  #2

1481184832
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481184832
Hero Member
*
Offline Offline

Posts: 1481184832

View Profile Personal Message (Offline)

Ignore
1481184832
Reply with quote  #2

1481184832
Report to moderator
1481184832
Hero Member
*
Offline Offline

Posts: 1481184832

View Profile Personal Message (Offline)

Ignore
1481184832
Reply with quote  #2

1481184832
Report to moderator
trance9
Newbie
*
Offline Offline

Activity: 8


View Profile
June 21, 2011, 05:37:04 AM
 #2

These types of standards are very generic. They talk about logical/theoretical separation of pieces of data, roles which have access to them, etc. They may mention specific types of attacks but not specific implementation used to defend against them. The standards are then applied to the business by the company and verified by an auditor. Of course, in practice, the auditor likely isn't going to poke holes in the application like hackers around the globe will - he's just going to run some automated tests of known exploits and common obvious mistakes..

Any time there is a database, someone is going to need to have access to it. How do you know that person will protect it 100% without fail? How do you know that if you put enough incentive on the line, that a switch won't flip in their head and turn them into the bad guy? If you are employing/paying people for service on your system, internal breaches are the easiest and most likely, and most difficult to guard against - you can't guess another person's behavior with 100% accuracy.

That is why the various financial computer security standards emphasize use of multiple roles to do any 1 task. For instance, making a code change could require authentication by both a coder and a reviewer. Then you are limiting your possibility of a breach to blatant negligence of multiple parties or collusion.
matt.collier
Member
**
Offline Offline

Activity: 105



View Profile
June 22, 2011, 04:04:50 PM
 #3

I think this is applicable as well:

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

https://www.pcisecuritystandards.org/

[EDIT]
Mark states in in this interview that Mt. Gox is working with an unnamed Japanese certification company to become PCI DSS compliant.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!