Information protection in banking systems. Information security of the bank

In the banking sector, initially there was a problem related to the confidentiality of information, its storage and protection. Banking institutions' data security plays an important role in business, as competitors and criminals are always interested in such information and make every effort to achieve it. To avoid this kind of problems, you need to learn how to protect banking data. In order for the protection of banking information to be effective, it is necessary, first of all, to take into account all possible ways information leaks. Namely: carefully check the data of people in the selection of personnel, check their biographical data and previous jobs.

Information security of banking institutions

All information data processed by banking and credit organizations is at risk. This is both customer data and data on the direct work of banks, their databases, and so on. The fact is that such information can be useful both to competitors and individuals involved in criminal activities. Their actions, compared with the problems that arise due to a virus infection of equipment or failures of operating systems, bring really enormous damage to organizations of this kind.

Protection of banking servers and local networks from intruders and unauthorized access to company materials is simply necessary in today's highly competitive society.

The information security of the systems of banking institutions is important because it guarantees the confidentiality of data about bank customers. Conducting daily backups, which is carried out by organizations, reduces the risk of complete loss of important information. In addition, methods have been developed to protect data from threats related to unauthorized access. A leak of this kind of information can occur as a result of the work of both spy services specially sent to the organization, and employees who have been working for a long time and decided to make money on the theft of the bank's information property. Safety is ensured thanks to the work of professionals and specialists who know their business.

Customer protection is one of the most important indicators affecting the reputation of the bank as a whole, including the organization's income. Since only good reviews will help the bank reach a high level of service and outperform competitors.

Unauthorized access to information of banking systems

One of the most common ways to steal banking information is to use backups, remove data from storage media, or simulate hacking, but not to steal material assets, but to gain access to information on the server. Since backups are usually stored in separate locations on tape drives, copies can be made while they are being transported to their destination. That is why employees who are hired for such work are carefully screened through various government bodies for a criminal record, problems with the law in the past, including the reliability of the information provided about yourself. Therefore, one should not underestimate such a possibility of theft of banking information, because the world practice is replete with such cases.

For example, in 2005, posting databases were put up for sale Central Bank Russian Federation. It is possible that this information was leaked outside the banking organization precisely because of the insufficient security of banking systems. A similar situation happened more than once in the world famous companies in the United States of America, whose information security suffered greatly from this.

Interview with the head of bank security:

Moreover, another way that information can be leaked from systems is through bank employees eager to make money on it. Despite the fact that in most cases unauthorized access to information of banking systems is done only in order to be able to work at home, they are the reason for the dissemination of information that is confidential. In addition, this is a direct violation of the security policy of the systems of banking organizations.

It should also be taken into account that in any bank there are people who have significant privileges for access to such data. These are usually system administrators. On the one hand, this is a production necessity, which makes it possible to perform official duties, and on the other hand, they can use it for their own purposes and at the same time they are able to professionally “cover their tracks”.

Ways to reduce the risk of information leakage

Protection of banking information from unauthorized access usually includes at least 3 components. Each of these components helps to ensure the safety of banks in the area where it is used. This includes protection from physical access, backups and protection from insiders.

Since banks pay special attention to physical access and try to fundamentally exclude the possibility of unauthorized access, they have to use special tools and methods for encrypting and encoding important information. Since banks have similar systems and tools for protecting data, it is better to use cryptographic protections. They help to preserve commercial information, as well as reduce the risks of such situations. It is best to store information in encrypted form, using the principle of transparent encryption, which helps to reduce the cost of protecting information, and also eliminates the need to constantly decrypt and encrypt data.

Considering the fact that all data of banking systems is actually the money of clients, due attention should be paid to their safety. One way is to determine if there are bad sectors on the hard drive. The function of canceling or pausing the process plays an important role in the initial encryption, encryption, decryption and re-encryption of the disk. Such a procedure has a long duration, and therefore any failure can lead to a complete loss of information. The most secure way to store encryption keys and systems is with smart cards or USB keys.

The protection of information systems is carried out more efficiently due to the use of not only streamers, but also removable hard drives, DVD media, and other things. The complex use of means of protection against physical penetration to information sources increases the chances of its safety and inviolability from competitors and intruders.

Watch this video to learn about the steps you should take:

Methods for protecting information systems from insiders

Basically, the theft of information occurs with the help of mobile media, various kinds of USB devices, disk drives, memory cards and other mobile devices. Therefore, one of the right decisions is to ban the use of such devices in the workplace. Everything that is needed is contained on servers and carefully monitored where and from where information is transmitted in the banking environment. In addition, in extreme cases, only those media purchased by the company are allowed to be used. You can set special restrictions that prevent the computer from recognizing third-party media and memory cards.

Information protection is one of the most important tasks of banking organizations, necessary for effective functioning. The modern market has great opportunities for the implementation of these plans. Blocking computers and ports - essential condition, which should be observed in order to protect the systems more reliably.

We should not forget that data theft individuals are also familiar with a set of systems that protect commercial information, and can bypass them with the help of specialists. To prevent the occurrence of such risks, you need to constantly work on improving security and try to use improved protection systems.

The information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activities of banks, which are forced to make access to accounts easy enough for the purpose of convenience for customers.

An ordinary company builds its information security based only on a narrow range of potential threats - mainly the protection of information from competitors (in Russian realities, the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of an uncontrolled increase in tax payments and racketeering). Such information is of interest only to a narrow circle of interested persons and organizations and is rarely liquid, i.e. convertible into cash.

The information security of the bank should take into account the following specific factors:

1. Stored and processed in banking systems information represents real money. Based on computer information, payments can be made, loans can be opened, and significant amounts can be transferred. It is quite clear that illegal manipulation of such information can lead to serious losses. This feature dramatically expands the circle of criminals who encroach on banks specifically (unlike, for example, industrial companies, whose inside information is of little interest to anyone).

2. Information in banking systems affects the interests of a large number of people and organizations - bank customers. As a rule, it is confidential, and the bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise it risks its reputation with all the ensuing consequences.

3. The competitiveness of the bank depends on how convenient it is for the client to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to manage his money quickly and without tedious procedures. But this ease of access to money increases the likelihood of criminal intrusion into banking systems.

4. The information security of a bank (unlike most companies) must ensure high reliability of computer systems even in case of emergency situations, since the bank is responsible not only for its own funds, but also for the money of customers.

5. The bank keeps important information about their customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Crimes in the banking sector also have their own characteristics:

Many crimes committed in the financial sector remain unknown to the general public due to the fact that bank managers do not want to disturb their shareholders, they are afraid to expose their organization to new attacks, they are afraid to damage their reputation as a reliable store of funds and, as a result, lose customers.

As a rule, attackers usually use their own accounts, to which the stolen amounts are transferred. Most criminals do not know how to launder stolen money. The ability to commit a crime and the ability to get money are not the same thing.

Most computer crimes are petty. The damage from them lies in the range from $10,000 to $50,000.

Successful computer crimes typically require a large amount of banking operations(up to several hundred). However, large amounts can be transferred in just a few transactions.

Most intruders are clerks. Although senior bank personnel can also commit crimes and cause much more damage to the bank, such cases are rare.

Computer crimes are not always high-tech. It is enough to falsify data, change the parameters of the ASOIB environment, etc., and these actions are also available to the maintenance personnel.

Many attackers explain their actions by the fact that they just borrow from the bank with a subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated information processing systems of banks (ASOIB) is due to the peculiarities of the tasks they solve:

As a rule, ASOIB processes a large stream of constantly arriving requests in real time, each of which does not require numerous resources to process, but all together they can only be processed by a high-performance system;

ASOIB stores and processes confidential information that is not intended for the general public. Its forgery or leakage can lead to serious (for the bank or its customers) consequences. Therefore, ASOIB are doomed to remain relatively closed, operate under the control of specific software and pay great attention to ensuring their security;

Another feature of ASOIB is the increased requirements for the reliability of hardware and software. Because of this, many modern ASOIBs gravitate toward the so-called fault-tolerant computer architecture, which allows continuous processing of information even in the face of various failures and failures.

There are two types of tasks solved by ASOIB:

1. Analytical. This type includes tasks of planning, analysis of accounts, etc. They are not immediate and may take a long time to resolve, and their results may affect the bank's policy in relation to a particular client or project. Therefore, the subsystem, with the help of which analytical tasks are solved, must be reliably isolated from the main information processing system. Solving such problems usually does not require powerful computing resources, usually 10-20% of the power of the entire system is enough. However, in view of the possible value of the results, their protection must be permanent.

2. Casual. This type includes tasks that are solved in daily activities, primarily making payments and adjusting accounts. It is they who determine the size and power of the main system of the bank; their solution usually requires much more resources than analytical tasks. At the same time, the value of information processed in solving such problems is temporary. Gradually, the value of information, for example, about the execution of a payment, becomes irrelevant. Naturally, this depends on many factors, such as: the amount and time of payment, account number, additional characteristics, etc. Therefore, it is usually sufficient to ensure payment protection at the moment of its execution. At the same time, the protection of the processing process itself and the final results must be constant.

What kind of protection measures for information processing systems do foreign experts prefer? This question can be answered using the results of a survey conducted by the Datapro Information Group in 1994 among banks and financial institutions:

82% of respondents have a formulated information security policy. Compared to 1991, the percentage of organizations with a security policy has increased by 13%.

Another 12% of those surveyed plan to develop a security policy. The following trend is clearly expressed: organizations with a large number of personnel prefer to have a developed security policy to a greater extent than organizations with a small number of personnel. For example, according to this survey, only 66% of organizations with less than 100 employees have a security policy, while for organizations with more than 5,000 employees, the share of such organizations is 99%.

In 88% of organizations that have an information security policy, there is a special unit that is responsible for its implementation. In those organizations that do not maintain such a unit, these functions are mainly assigned to the system administrator (29%), the information system manager (27%) or the physical security service (25%). This means that there is a tendency to separate employees responsible for computer security into a special unit.

In terms of protection, special attention is paid to protecting computer networks (90%), large computers (82%), recovering information after accidents and disasters (73%), protecting against computer viruses (72%), protecting personal computers (69%).

We can draw the following conclusions about the features of information protection in foreign financial systems :

The main thing in protecting financial organizations is prompt and, if possible, complete recovery of information after accidents and failures. About 60% of the respondents financial institutions have a recovery plan that is reviewed annually in more than 80% of them. Basically, the protection of information from destruction is achieved by creating backups and storing them externally, using uninterruptible power supplies and organizing a “hot” reserve of hardware.

The next most important problem for financial institutions is managing user access to stored and processed information. Various access control software systems are widely used here, which can sometimes replace anti-virus software. Mostly purchased access control software is used. Moreover, in financial institutions, special attention is paid to such user management in the network. However, certified access controls are extremely rare (3%). This can be explained by the fact that certified software is difficult to work with and extremely expensive to operate. This is due to the fact that certification parameters were developed taking into account the requirements for military systems.

The differences in the organization of protection of computer networks in financial organizations include the widespread use of standard (i.e. adapted, but not specially developed for a particular organization) commercial software for network access control (82%), protection of points of connection to the system via dial-up lines communications (69%). Most likely this is due to the greater prevalence of telecommunications in the financial sector and the desire to protect themselves from outside interference. Other methods of protection, such as the use of anti-virus tools, end-to-end and channel encryption of transmitted data, message authentication, are used in approximately the same way and, basically (with the exception of anti-virus tools), in less than 50% of the surveyed organizations.

Much attention in financial institutions is paid to the physical protection of the premises in which computers are located (about 40%). This means that the protection of computers from access by unauthorized persons is solved not only with the help of software, but also organizational and technical (security, combination locks, etc.).

Local information encryption is used by just over 20% of financial institutions. The reasons for this are the complexity of distributing keys, strict requirements for system performance, as well as the need for prompt recovery of information in case of failures and equipment failures.

Significantly less attention in financial organizations is paid to the protection of telephone lines (4%) and the use of computers designed to meet the requirements of the Tempest standard (protection against information leakage through electromagnetic radiation and interference channels). In state organizations, much more attention is paid to solving the problem of counteracting the receipt of information using electromagnetic radiation and pickups.

An analysis of statistics allows us to draw an important conclusion: the protection of financial organizations (including banks) is built somewhat differently than ordinary commercial and government organizations. Therefore, to protect ASOIB, the same technical and organizational solutions that were developed for standard situations cannot be applied. You can not mindlessly copy other people's systems - they were developed for other conditions.

The information security system of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activities of banks, which are forced to make access to accounts easy enough for the convenience of customers.

With the development and expansion of the scope of computer technology, the acuteness of the problem of ensuring the security of computing systems and protecting information stored and processed in them from various threats is becoming more and more. There are a number of objective reasons for this.

The main one is the increased level of confidence in automated information processing systems. They are entrusted with the most responsible work, on the quality of which the life and well-being of many people depend. computer control technological processes at enterprises and nuclear power plants, the movements of aircraft and trains, perform financial operations, process secret information.

Various options for protecting information are known - from a security guard at the entrance to mathematically verified methods of hiding data from acquaintance. In addition, we can talk about global protection and its individual aspects: the protection of personal computers, networks, databases, etc.

It should be noted that there are no absolutely secure systems. We can talk about the reliability of the system, firstly, only with a certain probability, and secondly, about protection from a certain category of violators. However, intrusions into a computer system can be foreseen. Defense is a kind of competition between defense and attack: whoever knows more and provides for effective measures wins.

The organization of the protection of the bank's automated information processing system is a single set of measures that should take into account all the features of the information processing process. Despite the inconvenience caused to the user during operation, in many cases, protection measures may be absolutely necessary for the normal functioning of the system. The main of the mentioned inconveniences should include Gaikovich Yu.V., Pershin A.S. Security of electronic banking systems.-M.: United Europe, 1994.- S..33:

1. Additional difficulties in working with most secure systems.
2. Increasing the cost of a secure system.
3. Additional load on system resources, which will require an increase in working time to complete the same task due to slower access to data and execution of operations in general.
4. The need to attract additional personnel responsible for maintaining the health of the protection system.

It is difficult to imagine a modern bank without an automated information system. The connection of computers with each other and with more powerful computers, as well as with computers of other banks - also necessary condition the success of the bank - the number of operations that need to be performed within a short period of time is too large.

At the same time, information systems are becoming one of the most vulnerable parties. modern bank, attracting intruders, both from among the bank's staff and from outside. Estimates of losses from crimes related to interference in the activities of the information system of banks vary greatly. There is a variety of methods for their calculation. The average electronic bank theft is about $9,000, and one of the most notorious scandals involves an attempt to steal $700 million (First National Bank, Chicago).

Moreover, it is necessary to take into account not only the amount of direct damage, but also very expensive measures that are carried out after successful attempts to hack into computer systems. So, one of the most striking examples is the loss of data on the work with secret accounts of the Bank of England in January 1999. This loss forced the bank to change the codes of all correspondent accounts. In this regard, all available intelligence and counterintelligence forces were alerted in the UK in order to prevent a possible leak of information that could cause enormous damage. The government took extreme measures so that outsiders did not become aware of the accounts and addresses to which the Bank of England sends hundreds of billions of dollars every day. Moreover, in the UK they were more afraid of a situation in which the data could be at the disposal of foreign intelligence services. In this case, the entire financial correspondent network of the Bank of England would have been opened. The possibility of damage was eliminated within a few weeks.

Adzhiev V. Myths about software security: lessons from famous disasters//Open Systems.-1999. -- №6.-- C..21-24

The services provided by banks today are largely based on the use of electronic means of interaction between banks, banks and their customers and trading partners. At present, access to banking services has become possible from various remote points, including home terminals and office computers. This fact makes us move away from the concept of “locked doors”, which was typical for banks in the 60s, when computers were used in most cases in batch mode as an auxiliary tool and had no connection with the outside world.

The level of equipment with automation tools plays an important role in the bank's activities and, therefore, directly affects its position and income. Increasing competition between banks leads to the need to reduce the time for making settlements, increase the range and improve the quality of services provided. The less time will take the settlements between the bank and customers, the higher will be the bank's turnover and, consequently, profit. In addition, the bank will be able to respond more quickly to changes in the financial situation. A variety of bank services (first of all, this refers to the possibility of non-cash payments between the bank and its customers using plastic cards) can significantly increase the number of its customers and, as a result, increase profits.

The information security of the bank should take into account the following specific factors:

1. Information stored and processed in banking systems is real money. Based on computer information, payments can be made, loans can be opened, and significant amounts can be transferred. It is quite clear that illegal manipulation of such information can lead to serious losses. This feature dramatically expands the circle of criminals who encroach on banks specifically (unlike, for example, industrial companies, whose inside information is of little interest to anyone).
2. Information in banking systems affects the interests of a large number of people and organizations - bank customers. As a rule, it is confidential, and the bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise it risks its reputation with all the ensuing consequences.
3. The competitiveness of the bank depends on how convenient it is for the client to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to manage his money quickly and without tedious procedures. But this ease of access to money increases the likelihood of criminal intrusion into banking systems.
4. The information security of a bank (unlike most companies) must ensure high reliability of computer systems even in case of emergency situations, since the bank is responsible not only for its own funds, but also for the money of customers.
5. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Crimes in the banking sector also have their own characteristics Gamza V.A. , Tkachuk I.B. Security of a commercial bank.- M ..: United Europe, 2000.- C..24:

Most computer crimes are petty. The damage from them lies in the range from $10,000 to $50,000.

Successful computer crimes typically require a large number of bank transactions (up to several hundred). However, large amounts can be transferred in just a few transactions.

Most intruders are clerks. Although senior bank personnel can also commit crimes and cause much more damage to the bank, such cases are rare.

Computer crimes are not always high-tech. It is enough to falsify data, change the parameters of the ASOIB environment, etc., and these actions are also available to the maintenance personnel.

Many attackers explain their actions by the fact that they just borrow from the bank with a subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated information processing systems of banks is due to the peculiarities of the tasks they solve:

Another feature of ASOIB is the increased requirements for the reliability of software and hardware. Because of this, many modern ASOIBs gravitate toward the so-called fault-tolerant computer architecture, which allows continuous processing of information even in the face of various failures and failures.

The use of ASOI by banks is associated with the specifics of the protection of these systems, so banks should pay more attention to the protection of their automated systems.

Conclusions on the first chapter:

1. JSCB "Globex" is a large financial organization, and therefore is of great interest to technically equipped violators. The strengthening of organized criminal groups, the growth of their financial power and technical equipment gives reason to believe that the trend towards an increase in the number of attempts to penetrate the automated systems of banks will continue.
2. Taking into account the tasks set by the management for Globex JSCB, it can be concluded that the relevant services of the bank will need to make a lot of efforts to ensure the security of the bank's ASIS, given the specifics of its work.
3. In JSCB "Globex" it is necessary to determine and predict possible threats for the justification, selection and implementation of protective measures to protect the ASOI.
4. Since computerization banking becomes more and more widespread, and all banks interact with each other through computers, then the Security Service of the Globex Bank should pay more attention to the protection of computer information in the bank.

The data bank is a part of any automated system such as CAD, APCS, APCS, etc. The purpose of the databank is to maintain information model in an extremely important condition and providing user requests. This requires three operations to be performed on the data bank: enable, delete, modify. These operations provide storage and modification of data.

With the development of an automated system, the composition of the objects of the subject area changes, the connections between them change. All this should be reflected in the information system. Thus, the organization of the data bank must be flexible. Let us show the place of the data bank in the automated system.

When designing a data bank, it is extremely important to consider two aspects of providing user requests.

1) Defining the boundaries of a specific subject area and developing an information model. Note that the data bank should provide information to the entire system both in the present and in the future, taking into account its development.

2) The development of a data bank should focus on the efficient servicing of user requests. In this regard, it is extremely important to analyze the types and types of user requests. It is also extremely important to analyze the functional tasks of an automated system for which this bank will be a source of information.

Users of the data bank differ in the following ways:

· on the basis of constancy of communication with the bank.

Users : permanent and one-time ;

Permission level. Part of the data must be protected;

in the form of requests. Requests can be given by programmers, non-programmers, task users.

Due to the great heterogeneity of users, the data bank provides a special tool that allows you to bring all queries to a single terminology. This tool is called data dictionary.

Let's single out primary requirements which must be answered data bank from external users . The databank should:

1. Provide the ability to store and modify large volumes of multidimensional information. Satisfy current and emerging user requirements.

Provide specified levels of reliability and consistency of stored information.

3. Provide access to data only to those users who have the appropriate authority.

4. Provide the ability to search for information on an arbitrary group of features.

5. Satisfy the specified performance requirements when processing requests.

6. Have the ability to reorganize and expand when changing the boundaries of the subject area.

7. Provide information to the user in various forms.

8. Provide the ability to simultaneously serve a large number of external users.

To meet these requirements, it is essential to introduce centralized data management.

Let's single out main advantages of centralized management data compared to previously used software.

1) Reducing the redundancy of stored data. Data that is used by several applications is structured (integrated) and stored in a single copy.

2) Elimination of inconsistency of stored data. Due to the non-redundancy of data, the situation is eliminated when, when a given is actually changed, it seems to be changed not in all records.

3) Multi-aspect use of data with a single entry.

4) Comprehensive optimization based on the analysis of user requirements. Data structures are chosen that provide the best service.

5) Ensuring the possibility of standardization. This facilitates the exchange of data with other automated systems, as well as procedures for monitoring and recovering data.

6) Ensuring the possibility of authorized access to data, ᴛ.ᴇ. availability of data protection mechanisms.

It should be emphasized that the main problem of centralized data management is to ensure the independence of application programs from data. This is explained by the fact that data integration, optimization of data structures require changes in the stored representation of data and the data access method.

Conclusion: The main distinguishing feature of the data bank is the presence of centralized data management.

Chapter 1. Features of information security of banks.

Order of Rosstandart dated March 28, 2018 No. 156-st "On approval of the national standard of the Russian Federation"

Order of Rosstandart dated August 8, 2017 No. 822-st "On approval of the national standard of the Russian Federation"

The main objectives of the implementation of the Standard “Ensuring information security of organizations of the banking system of the Russian Federation. General Provisions” STO BR IBBS-1.0 (hereinafter referred to as the Standard):

increasing confidence in the banking system of the Russian Federation;
increasing the stability of the functioning of organizations of the banking system of the Russian Federation and, on this basis, the stability of the functioning of the banking system of the Russian Federation as a whole;
achievement of adequacy of measures to protect against real threats information security;
prevention and (or) reduction of damage from information security incidents.

The main objectives of the Standard:

establishment of uniform requirements for ensuring information security of organizations of the banking system of the Russian Federation;
increasing the effectiveness of measures to ensure and maintain the information security of organizations in the banking system of the Russian Federation.

Protection of information in electronic payment Internet systems

Internet payment system is a system for conducting settlements between financial, business organizations and Internet users in the process of buying / selling goods and services via the Internet. It is the payment system that allows you to turn an order processing service or an electronic storefront into a full-fledged store with all the standard attributes: by selecting a product or service on the seller’s website, the buyer can make a payment without leaving the computer.

In the e-commerce system, payments are made subject to a number of conditions:

1. Respect for confidentiality. When making payments over the Internet, the buyer wants his data (for example, credit card number) to be known only to organizations that have the legal right to do so.

2. Maintaining the integrity of information. Purchase information cannot be changed by anyone.

3. Authentication. Buyers and sellers must be sure that all parties involved in the transaction are who they say they are.

4. Means of payment. Possibility of payment by any means of payment available to the buyer.

6. Seller risk guarantees. When trading on the Internet, the seller is exposed to many risks associated with the refusal of goods and the bad faith of the buyer. The magnitude of the risks must be agreed with the payment system provider and other organizations included in the trade chains through special agreements.

7. Minimize transaction fees. The transaction processing fee for ordering and paying for goods is naturally included in their cost, so lowering the transaction price increases competitiveness. It is important to note that the transaction must be paid in any case, even if the buyer refuses the goods.

All of these conditions must be implemented in the Internet payment system, which, in essence, are electronic versions of traditional payment systems.

Thus, all payment systems are divided into:

Debit (working with electronic checks and digital cash);

Credit (working with credit cards).

Debit systems

Debit payment schemes are built similarly to their offline prototypes: check and regular cash. There are two independent parties involved in the scheme: issuers and users. The issuer is understood as the entity that manages the payment system. It issues some electronic units representing payments (for example, money in bank accounts).

Information security of organizations of the banking system of the Russian Federation

System users perform two main functions. They make and accept payments on the Internet using issued electronic items.

Electronic checks are analogous to regular paper checks. These are the instructions of the payer to his bank to transfer money from his account to the account of the payee. The operation takes place when the recipient presents a check at the bank. There are two main differences here. First, when writing a paper check, the payer puts his real signature, and in the online version - an electronic signature. Secondly, the checks themselves are issued electronically.

Payments are made in several stages:

1. The payer issues an electronic check, signs it with an electronic signature and sends it to the recipient. In order to ensure greater reliability and security, the checking account number can be encoded with the bank's public key.

2. The check is presented for payment payment system. Further, (either here or in the bank serving the recipient), the electronic signature is verified.

3. If its authenticity is confirmed, a product is delivered or a service is provided. Money is transferred from the payer's account to the recipient's account.

The simplicity of the payment scheme (Fig. 43), unfortunately, is offset by the difficulties of its implementation due to the fact that check schemes have not yet become widespread and there are no certification centers for the implementation of electronic signatures.

An electronic digital signature (EDS) uses a public key encryption system. This creates a private key for signing and a public key for verification. The private key is kept by the user, while the public key can be accessed by everyone. Most convenient way distribution of public keys - the use of certification centers. It stores digital certificates containing the public key and information about the owner. This relieves the user of the obligation to distribute his public key himself. In addition, certification authorities provide authentication to ensure that no one can generate keys on behalf of another person.

Electronic money fully simulates real money. At the same time, the issuing organization - the issuer - issues their electronic counterparts, called differently in different systems (for example, coupons). Further, they are bought by users who use them to pay for purchases, and then the seller redeems them from the issuer. When issuing each currency unit certified by an electronic seal, which is checked by the issuing structure before redemption.

One of the features of physical money is its anonymity, that is, it does not indicate who used it and when. Some systems, by analogy, allow the customer to receive electronic cash in such a way that the relationship between him and the money cannot be determined. This is done using a blind signature scheme.

It should also be noted that when using electronic money there is no need for authentication, since the system is based on issuing money into circulation before it is used.

Figure 44 shows the payment scheme using electronic money.

The payment mechanism is as follows:

1. The buyer exchanges real money for electronic money in advance. Keeping cash with the client can be carried out in two ways, which is determined by the system used:

On the computer's hard drive;

on smart cards.

Different systems offer different exchange schemes. Some open special accounts to which funds are transferred from the buyer's account in exchange for electronic banknotes. Some banks may issue electronic cash themselves. At the same time, it is issued only at the request of the client, with its subsequent transfer to the computer or card of this client and the withdrawal of the cash equivalent from his account. When implementing a blind signature, the buyer himself creates electronic banknotes, sends them to the bank, where, upon receipt real money they are stamped on the account and sent back to the client.

Along with the convenience of such storage, it also has disadvantages. Damage to a disk or smart card results in an irretrievable loss of electronic money.

2. The buyer transfers electronic money for the purchase to the seller's server.

3. The money is presented to the issuer, who verifies their authenticity.

4. If the electronic banknotes are authentic, the seller's account is increased by the amount of the purchase, and the goods are shipped to the buyer or the service is provided.

One of the important distinguishing features of electronic money is the ability to make micropayments. This is due to the fact that the denomination of banknotes may not correspond to real coins (for example, 37 kopecks).

Both banks and non-bank organizations can issue electronic cash. However, it has not yet been developed one system converting different types of electronic money. Therefore, only the issuers themselves can redeem the electronic cash issued by them. In addition, the use of such money from non-financial structures is not guaranteed by the state. However, the low cost of the transaction makes e-cash an attractive tool for payments on the Internet.

Credit systems

Internet-credit systems are analogues of conventional systems that work with credit cards. The difference lies in the conduct of all transactions via the Internet, and as a result, the need additional funds security and authentication.

The following are involved in making payments via the Internet using credit cards:

1. Buyer. A client that has a computer with a Web browser and Internet access.

2. Issuing bank. Here is the buyer's account. The issuing bank issues cards and is the guarantor of the fulfillment of the client's financial obligations.

3. Sellers. Sellers are E-Commerce servers that maintain catalogs of goods and services and accept customer purchase orders.

4. Acquiring banks. Banks serving merchants. Each seller has a single bank in which he keeps his current account.

5. Internet payment system. Electronic components that are intermediaries between other participants.

6. Traditional payment system. A set of financial and technological means for servicing cards of this type. Among the main tasks solved by the payment system are the use of cards as a means of payment for goods and services, the use of banking services, mutual settlements, etc. Participants of the payment system are individuals and legal entities, united by relations on the use of credit cards.

7. Processing center of the payment system. An organization that provides information and technological interaction between participants in a traditional payment system.

8. Settlement bank of the payment system. A credit institution that carries out mutual settlements between participants of the payment system on behalf of the processing center.

The general scheme of payments in such a system is shown in Figure 45.

1. The buyer in the electronic store forms a basket of goods and selects the payment method "credit card".

Through the store, that is, the card parameters are entered directly on the store's website, after which they are transferred to the Internet payment system (2a);

On the server of the payment system (2b).

The advantages of the second way are obvious.

In this case, information about the cards does not remain in the store, and, accordingly, the risk of receiving them by third parties or fraud by the seller is reduced. In both cases, when transferring credit card details, there is still the possibility of them being intercepted by attackers on the network. To prevent this, data is encrypted during transmission.

Encryption, of course, reduces the possibility of intercepting data on the network, therefore, buyer/seller, seller/Internet payment system, buyer/Internet payment system communications are preferably carried out using secure protocols. The most common of them today is the SSL (Secure Sockets Layer) protocol, as well as the SET (Secure Electronic Transaction) secure electronic transaction standard, designed to eventually replace SSL in processing transactions related to payments for purchases on credit cards on the Internet.

3. The Internet payment system sends the authorization request to the traditional payment system.

4. The next step depends on whether the issuing bank maintains an online database (DB) of accounts. If the database is available, the processing center sends to the issuing bank a request for card authorization (see the introduction or dictionary) (4a) and then (4b) receives its result. If there is no such base, then the processing center itself stores information about the status of cardholders' accounts, stop lists and fulfills requests for authorization. This information is regularly updated by issuing banks.

The store provides a service or ships a product (8a);

The processing center sends settlement bank information about the completed transaction (8b). Money from the buyer's account in the issuing bank is transferred through the settlement bank to the store's account in the acquiring bank.

In order to make such payments, in most cases, a special software.

It can be delivered to the buyer (called an electronic wallet), the seller and his servicing bank.

Previous25262728293031323334353637383940Next

VIEW MORE:

In our life, the Internet is not only a means for communication, entertainment and recreation, but also for work, as well as for making electronic payments. Many of us use Internet banking services and make purchases in online stores.

Top Threats to Online Operations

Despite the security of Internet banking systems and online stores, such protection methods as double authentication, systems of one-time dynamic SMS passwords, additional lists of one-time passwords or hardware keys, SSL-secured connection and so on - modern methods attacks allow you to bypass even the most reliable defense mechanisms.

Today, attackers can distinguish three most common approaches to attacking the financial data of Internet users:

- infection of the victim's computer with Trojan programs (keyloggers, screen loggers, etc.) that use to intercept the input data;
- use of social engineering methods - phishing attacks through email, websites, social networks, etc.;
— technological attacks (sniffing, spoofing DNS/Proxy servers, spoofing certificates, etc.).

How to secure internet banking?

The user should not rely only on the bank, but use security programs to enhance the security of electronic payments on the Internet.

Modern Internet Security solutions, in addition to antivirus functions, offer secure payment tools (isolated virtual environments for online operations), as well as a vulnerability scanner, web protection with link checking, blocking malicious scripts and pop-ups, data protection from interception (anti-keyloggers), a virtual keyboard .

Among the complex solutions with a separate online payment protection function, one can single out Kaspersky Internet Security and the Safe Money component, avast!

Information security in the banking sector

Internet Security with avast! SafeZone and Bitdefender Internet Security with Bitdefender Safepay. These products allow you not to worry about additional protection.

If you have a different antivirus, you can look at the means of additional protection. Among them: Bitdefender Safepay (isolated web browser), Trusteer Rapport and HitmanPro.Alert to protect the browser from attacks, plug-ins and applications Netcraft Extension, McAfee SiteAdvisor, Adguard to protect against phishing.

Do not forget about the firewall and VPN client if you have to perform financial transactions when connecting to open wireless Wi-Fi networks in public places. For example, CyberGhost VPN uses AES 256-bit traffic encryption, which prevents the data from being used by an attacker, even if intercepted.

What online payment protection methods do you use? Share your experience in the comments.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Ministry of General and Vocational Education of the Rostov Region

STATE BUDGET EDUCATIONAL INSTITUTION OF SECONDARY VOCATIONAL EDUCATION OF THE ROSTOV REGION

"Rostov-on-Don College of Communications and Informatics"

By discipline: "Information security"

Topic: Information protection of banks

Is done by a student

Kladovikov V.S.

Group PO-44

Specialty 23010551 Software

computer technology and automated systems

Head: Semergey S.V.

201 3

Introduction

1. Features of information security of banks

2. Security of automated information processing systems in banks (ASOIB)

3. Security of electronic payments

4. Security of personal payments individuals

Conclusion

Applications

Introduction

Since their inception, banks have consistently aroused criminal interest. And this interest was associated not only with storage in credit organizations money, but also with the fact that banks contained important and often secret information about the financial and economic activities of many people, companies, organizations and even entire states. Currently, as a result of the ubiquitous distribution of electronic payments, plastic cards, computer networks, the object of information attacks has become directly cash both banks and their clients. Anyone can attempt theft - all you need is a computer connected to the Internet. Moreover, this does not require physically entering the bank, you can “work” thousands of kilometers away from it.

It is this problem that is now the most relevant and least studied. If established approaches have long been developed in ensuring physical and classical information security (although development is taking place here too), then due to frequent radical changes in computer technologies, the security methods of automated information processing systems of a bank (ASOIB) require constant updating. As practice shows, there are no complex computer systems that do not contain errors. And since the ideology of building large ASOIBs changes regularly, fixing the errors and “holes” found in security systems does not last long, since a new computer system brings new problems and new errors, and forces the security system to be rebuilt in a new way.

In my opinion, everyone is interested in the confidentiality of their personal data provided to banks. Based on this, writing this essay and studying this problem, in my opinion, is not only interesting, but also extremely useful.

1. Features of information security of banks

Banking information has always been the object of close interest of all kinds of intruders. Any banking crime begins with a leak of information. Automated banking systems are conduits for such leaks. From the very beginning of the introduction of automated banking systems (ABS), they have become the object of criminal encroachments.

Thus, it is known that in August 1995, 24-year-old Russian mathematician Vladimir Levin was arrested in the UK, who, using his home computer in St. Petersburg, managed to penetrate the banking system of one of the largest American banks, Citibank, and tried to withdraw large sums from his accounts. According to the Moscow representative office of Citibank, until then no one had been able to do this. The Citibank security service found out that they tried to steal $2.8 million from the bank, but the controlling systems detected this in time and blocked the accounts. Only $400,000 was stolen.

In the US, the amount of annual losses of banking institutions from the illegal use of computer information is, according to experts, from 0.3 to 5 billion dollars. Information is an aspect of the general problem of ensuring the security of banking.

In this regard, the information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activities of banks, which are forced to make access to accounts easy enough for the sake of convenience for customers.

An ordinary company builds its information security based only on a narrow range of potential threats - mainly protecting information from competitors (in Russian realities, the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of an uncontrolled increase in tax payments and racketeering). Such information is of interest only to a narrow circle of interested persons and organizations and is rarely liquid, i.e. convertible into cash.

The information security of the bank should take into account the following specific factors:

1. Information stored and processed in banking systems is real money. Based on computer information, payments can be made, loans can be opened, and significant amounts can be transferred. It is quite clear that illegal manipulation of such information can lead to serious losses. This feature dramatically expands the circle of criminals who encroach on banks specifically (unlike, for example, industrial companies, whose inside information is of little interest to anyone).

5. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Unfortunately, today, due to the high development of technology, even extremely strict organizational measures to streamline the work with confidential information will not protect against its leakage through physical channels. So systems approach to information security requires that the means and actions used by the bank to ensure information security (organizational, physical, software and hardware) are considered as a single set of interrelated, complementary and interacting measures. Such a complex should be aimed not only at protecting information from unauthorized access, but also at preventing accidental destruction, modification or disclosure of information.

2. Security of automated information processing systems in banks (ASOIB)

It would not be an exaggeration to say that the problem of deliberate violations of the functioning of ASOIB for various purposes is currently one of the most urgent. This statement is most true for countries with a highly developed information infrastructure, as evidenced by the figures below.

It is known that in 1992 the damage from computer crimes amounted to $555 million, 930 years of working time and 15.3 years of computer time. According to other sources, the damage to financial organizations ranges from $173 million to $41 billion a year.

From this example, we can conclude that information processing and protection systems reflect the traditional approach to the computer network as a potentially unreliable data transmission medium. There are several main ways to ensure the security of the software and hardware environment, implemented by various methods:

1.1. Creation of user profiles. Each node creates a database of users, their passwords and access profiles to the local resources of the computer system.

1.2. Create process profiles. The authentication task is performed by an independent (third-party) server that contains passwords for both users and end servers (in the case of a group of servers, the password database also contains only one (master) authentication server; the rest are only periodically updated copies) . Thus, the use of network services requires two passwords (although the user only needs to know one - the second is provided to him by the server in a "transparent" manner). Obviously, the server becomes the bottleneck of the entire system, and hacking it can compromise the security of the entire computer network.

2. Encapsulation of transmitted information in special exchange protocols. The use of such methods in communications is based on public key encryption algorithms. At the initialization stage, a pair of keys is created - public and private, available only to the one who publishes the public key. The essence of public key encryption algorithms is that the encryption and decryption operations are performed by different keys (public and private, respectively).

3. Restriction of information flows. These are well-known techniques that allow you to divide a local network into related subnets and control and limit the transfer of information between these subnets.

3.1. Firewalls (firewalls). The method implies the creation of special intermediate servers between the local network of the bank and other networks that inspect, analyze and filter the entire data flow passing through them (traffic of the network / transport levels). This allows you to dramatically reduce the threat of unauthorized access from the outside to corporate networks, but does not completely eliminate this danger. A more secure version of the method is the masquerading method, when all traffic outgoing from the local network is sent on behalf of the firewall server, making the closed local network almost invisible.

3.2. proxy servers. With this method, severe restrictions are introduced on the rules for transmitting information in the network: all traffic of the network / transport levels between the local and global networks is completely prohibited - there is simply no routing as such, and calls from the local network to the global network occur through special intermediary servers. Obviously, with this method, access from the global network to the local network becomes impossible in principle. It is also obvious that this method does not provide sufficient protection against attacks at higher levels, for example, at the level of a software application.

4. The creation of virtual private networks (VPN) allows you to effectively ensure the confidentiality of information, its protection from eavesdropping or interference in data transmission. They allow you to establish confidential, secure communications over an open network, typically the Internet, and extend the boundaries of corporate networks to remote offices, mobile users, home users, and business partners. Encryption technology eliminates the possibility of VPN messages being intercepted or read by persons other than the authorized recipients by using advanced mathematical message encryption algorithms and applications. The Cisco VPN 3000 Series Concentrators are considered by many to be the best remote access over VPN solution in their category. Cisco VPN 3000 Concentrators, featuring the most advanced features with high reliability and a unique, purposeful architecture. Enable corporations to build high-performance, scalable, and powerful VPN infrastructures to support mission-critical remote access applications. Cisco VPN-optimized routers, such as the Cisco 800, 1700, 2600, 3600, 7100, and 7200 routers, are ideal tools for creating virtual private networks from one network object to another.

5.Intrusion detection systems and vulnerability scanners create an additional layer of network security. Although firewalls allow or block traffic based on source, destination, port, or other criteria, they do not actually analyze traffic for attacks or look for vulnerabilities in the system. In addition, firewalls usually do not deal with internal threats coming from "their own". The Cisco Intrusion Detection System (IDS) can secure the perimeter network, business partner networks, and increasingly vulnerable internal networks in real time. The system uses agents, which are high-performance network devices, to analyze individual packets in order to detect suspicious activity. If there is unauthorized activity or a network attack in traffic on the network, agents can detect a violation in real time, send alerts to the administrator, and block the intruder from accessing the network. In addition to network intrusion detection, Cisco also offers server intrusion detection systems that provide effective protection for specific servers in the user's network, primarily WEB and e-commerce servers. The Cisco Secure Scanner is an industrial-grade software scanner that allows an administrator to identify and fix network security vulnerabilities before hackers find them.

As networks grow and become more complex, the requirement to have centralized security policy controls that can manage security elements becomes paramount. Intelligence that can indicate, manage, and audit security policy status improves the usability and effectiveness of network security solutions. Cisco's solutions in this area take a strategic approach to security management. Cisco Secure Policy Manager (CSPM) supports Cisco security elements in enterprise networks to ensure comprehensive and consistent security policy enforcement. With CSPM, customers can define an appropriate security policy, enforce it, and validate the security principles of hundreds of Cisco Secure PIX and Cisco IOS Firewall Feature Set firewalls and IDS agents. CSPM also supports the IPsec standard for building VPNs. In addition, CSPM is integral part widespread corporate management system CiscoWorks2000/VMS.

Summarizing the above methods, we can say that the development of information systems requires the parallel development of information transfer and protection technologies. These technologies must ensure the protection of transmitted information, making the network "reliable", although the reliability of present stage is understood as reliability not at the physical level, but rather at the logical (information) level.

There are also a number of additional measures that implement the following principles:

1. Process monitoring. The method of monitoring processes is to create a special extension of the system that would constantly carry out certain types of checks. It is obvious that a certain system becomes externally vulnerable only when it provides the possibility of external access to its information resources. When creating means of such access (server processes), as a rule, there is a sufficient amount of a priori information related to the behavior of client processes. Unfortunately, in most cases this information is simply ignored. After an external process is authenticated in the system, it is considered authorized throughout its life cycle to access a certain amount of information resources without any additional checks.

Although it is not possible in most cases to specify all the rules for the behavior of an external process, it is quite possible to define them through negation, or, in other words, to indicate what the external process cannot do under any conditions. Based on these checks, dangerous or suspicious events can be monitored. For example, the figure below shows the monitoring elements and detected events: DOS attack; user password entry error; congestion in the communication channel.

2. Duplication of transmission technologies. There is a risk of hacking and compromising any information transfer technology, both due to its internal shortcomings, and as a result of external influences. Protection against such a situation lies in the parallel application of several different transmission technologies. Obviously, duplication will lead to a sharp increase in network traffic. However, this method can be effective when the cost of risks from possible losses turns out to be higher than the overhead of duplication.

3.Decentralization. In many cases, the use of standardized information exchange technologies is not caused by the desire for standardization, but by the insufficient computing power of the systems that provide communication procedures. The widespread practice of “mirrors” on the Internet can also be considered an implementation of a decentralized approach. Creating multiple identical copies of resources can be useful in real-time systems, where even a short-term failure can have quite serious consequences.

3 . Security of electronic payments

information bank cryptographic protection

The need to always have the right information at hand makes many managers think about the problem of business optimization using computer systems. But if the translation accounting From a paper form to an electronic form has long been carried out, mutual settlements with the bank are still insufficiently automated: a massive transition to electronic document management is yet to come.

Today, many banks have certain channels for remote payment transactions. You can send a "payment" directly from the office, using a modem connection or a dedicated communication line. It has become a reality to perform banking transactions via the Internet - for this it is enough to have a computer with access to the global network and an electronic digital signature (EDS) key, which is registered with the bank.

Remote banking allows you to increase the efficiency of a private business with minimal effort on the part of its owners. This ensures: saving time (no need to come to the bank in person, payment can be made at any time); convenience of work (all operations are performed from a personal computer in a familiar business environment); high speed of payment processing (the bank operator does not reprint data from a paper original, which makes it possible to eliminate input errors and reduce the processing time of a payment document); monitoring the state of the document in the process of its processing; obtaining information about the movement of funds on accounts.

However, despite the obvious advantages, electronic payments in Russia are not yet very popular, since bank customers are not sure of their security. This is primarily due to the widespread belief that computer networks can easily be "hacked" by some hacker. This myth is firmly ingrained in the human mind, and regularly published news in the media about attacks on yet another website further strengthens this opinion. But times are changing and electronic means connections will sooner or later replace the personal presence of the payer who wants to make a non-cash bank transfer from one account to another.

In my opinion, the security of electronic banking transactions today can be ensured. This is guaranteed by modern cryptography methods that are used to protect electronic payment documents. First of all, this is an EDS corresponding to GOST 34.10-94. Since 1995, it has been successfully used in the Bank of Russia. Initially, he introduced a system of inter-regional electronic payments in just a few regions. Now it covers all regions of the Russian Federation and it is almost impossible to imagine the functioning of the Bank of Russia without it. So is it worth doubting the reliability of the EDS, if its use is time-tested and already, one way or another, concerns every citizen of our country?

The digital signature is a guarantee of security. According to standard contract between the bank and the client, the presence under the electronic document of a sufficient number of authorized persons registered with the EDS serves as the basis for performing banking operations on the client's accounts. V federal law dated 10.01.02 N 1-FZ "On electronic digital signature" it is determined that the EDS must be generated and verified by certified FAPSI software. EDS certification is a guarantee that this program performs cryptographic functions in accordance with GOST standards and does not perform destructive actions on the user's computer.

In order to affix an EDS to an electronic document, it is necessary to have its key, which can be stored on some key information carrier. Modern key carriers ("e-Token", "USB-drive", "Touch-Memory") are shaped like key rings and can be worn in a bunch of ordinary keys. Floppy disks can also be used as a carrier of key information.

Each EDS key serves as an analogue of the handwritten signature of an authorized person. If in an organization paper "payments" are usually signed by the director and Chief Accountant, then in electronic system it is best to keep the same procedure and provide different EDS keys for authorized persons. However, one EDS can also be used - this fact must be reflected in the agreement between the bank and the client.

The EDS key consists of two parts - closed and open. The public part (public key), after being generated by the owner, is submitted to the Certification Authority, the role of which is usually played by the bank. The public key, information about its owner, purpose of the key and other information are signed by the EDS of the Certification Authority. Thus, an EDS certificate is formed, which must be registered in the bank's electronic settlement system.

The private part of the EDS key (secret key) must under no circumstances be transferred by the owner of the key to another person. If the secret key has been given even for a short time to another person or left somewhere unattended, it is considered that the key is "compromised" (ie, the possibility of copying or illegal use of the key is implied). In other words, in this case, a person who is not the owner of the key gets the opportunity to sign an electronic document unauthorized by the management of the organization, which the bank will accept for execution and will be right, since the verification of the digital signature will show its authenticity. All responsibility in this case rests solely with the owner of the key. The actions of the owner of the EDS in this situation should be similar to those that are taken when a regular plastic card is lost: this person must inform the bank about the "compromise" (loss) of the EDS key. Then the bank will block the certificate of this digital signature in its payment system and the attacker will not be able to use his illegal acquisition.

The illegal use of the secret key can also be prevented by using a password that is imposed both on the key and on some types of key media. This helps to minimize damage in case of loss, since without a password the key becomes invalid and the owner will have enough time to inform the bank about the "compromising" of his EDS.

Let's consider how a client can use the services of electronic payments, provided that the bank has a system for the integrated implementation of electronic payments. banking services InterBank. If the client is a private entrepreneur or manages a small commercial firm and has access to the Internet, it will be enough for him to choose the cryptographic protection system (EDS and encryption) that he wants to use. The client can install the certified software "CryptoPro CSP" or limit himself to the Microsoft Base CSP system built into Microsoft Windows.

If the client is a large company with a large financial turnover, then another subsystem from InterBank - "Windows Client" can be recommended to him. With its help, the client independently maintains a database of electronic documents and can prepare payment orders on his computer without using a communication session with the bank. When all required documents are formed, the client connects to the bank by phone or a dedicated line for data exchange.

Another type of service provided by the InterBank complex is informing the client about the status of his bank accounts, exchange rates and transferring other reference data via voice communication, fax or cell phone screen.

A convenient way to use electronic payments is to approve payment documents by authorized employees of the enterprise, who are at a considerable distance from each other. For example, the chief accountant prepared and signed an electronic payment document. The director, being currently on a business trip in another city or in another country, can view this document, sign it and send it to the bank. All these actions can be performed by the "Internet-Client" subsystem, to which the accountant and the director of the enterprise will connect via the Internet. Data encryption and user authentication will be carried out by one of the standard protocols - SSL or TLS.

So, the use of electronic payments in business provides significant advantages over the traditional service. As for security, it is provided by the EDS standard (GOST 34.10-94), on the one hand, and the client's responsibility for storing the signature key, on the other. Recommendations on the use and storage of EDS keys can always be received by the client from the bank, and if he follows them, then the reliability of payments is guaranteed.

4. perso securitycash payments of individuals

Most security systems, in order to avoid the loss of personal data of individuals, require the user to confirm that he is exactly who he claims to be. User identification can be carried out on the basis that:

* he knows some information (secret code, password);

* he has a certain item (card, electronic key, token);

* he has a set of individual features (fingerprints, hand shape, voice timbre, retinal pattern, etc.);

* it knows where or how the specialized key is connected.

The first method requires typing a certain code sequence on the keyboard - personal identification number(Personal identification number - PIN). This is usually a sequence of 4-8 digits that the user must enter when making a transaction.

The second method involves the user presenting some specific identification elements - codes read from a non-copyable electronic device, card or token.

In the third method, individual characteristics and physical characteristics person's personality. Any biometric product is accompanied by a fairly large database that stores the corresponding images or other data used in recognition.

The fourth method involves a special principle of switching on or switching equipment, which will ensure its operation (this approach is used quite rarely).

V banking the most widely used personal identification means, which we attributed to the second group: a certain object (card, electronic key, token). Naturally, the use of such a key occurs in combination with the means and methods of identification, which we assigned to the first group: the use of information (secret code, password).

Let's take a closer look at the means of identifying an individual in banking.

Plastic cards.

Currently, over a billion cards have been issued in various countries of the world.. The most famous of them:

Credit cards Visa (more than 350 million cards) and MasterCard (200 million cards);

International check guarantees Eurocheque and Posteheque;

Travel and entertainment cards American Express (60 million cards) and Diners Club.

Magnetic cards

The most famous and long used in banking as a means of identification are plastic cards with a magnetic stripe (many systems allow the use of conventional credit cards). For reading it is necessary to draw a card (magnetic stripe) through the slot of the reader (reader). Typically, readers are made as an external device and are connected via a serial or universal computer port. There are also readers combined with a keyboard. However, such cards have advantages and disadvantages of their use.

* magnetic card can be easily copied on available equipment;

* Pollution, a slight mechanical impact on the magnetic layer, the presence of the card near strong sources of electromagnetic fields lead to damage to the card.

Advantages:

* the cost of issuing and maintaining such cards is low;

* the industry of magnetic plastic cards has been developing for several decades and at the moment more than 90% of the cards are plastic cards;

* the use of magnetic cards is justified with a very large number of users and frequent change of cards (for example, to access a hotel room).

Proximity cards

In fact, this is a development of the idea of electronic tokens. This is a contactless card (but it can also be a key fob or bracelet) containing a chip with a unique code or a radio transmitter. The reader is equipped with a special antenna that constantly emits electromagnetic energy. When a card enters this field, the card chip is powered, and the card sends its unique code to the reader. For most readers, the stable response distance ranges from a few millimeters to 5-15 cm.

Smart cards

Unlike a magnetic card, a smart card contains a microprocessor and contact pads for supplying power and exchanging information with the reader. The smart card has a very high degree of security. It is with it that the main prospects for the development of such keys and the hopes of many developers of protection systems are still associated.

Smart card technology has existed and developed for about twenty years, but it has only become widespread in the last few years. It is obvious that a smart card, due to the large amount of memory and functionality, can act both as a key and as a pass and at the same time be bank card. V real life such a combination of functions is implemented quite rarely.

To work with a smart card, the computer must be equipped with a special device: a built-in or external card reader. External card readers can be connected to various ports on the computer (serial, parallel, or PS/2 keyboard port, PCMCIA slot, SCSI, or USB).

Many cards include different kinds(algorithms) authentication. There are three parties involved in the electronic recognition process: the card user, the card, the terminal device (card reader). Authentication is necessary so that the user, the terminal device into which the card is inserted, or the software application to which the card parameters are communicated, can perform certain actions with the data on the card. Access rules are assigned by the application developer when creating data structures on the map.

Electronic tokens

Now in various systems that require user or owner identification, electronic tokens (or so-called token devices) are widely used as passes. A well-known example of such a token is an electronic "pill" (Fig. 8.4). The "tablet" is made in a round stainless steel case and contains a chip with a unique number written into it. User authentication is carried out after touching such a "tablet" to a special contact device, usually connected to the computer's serial port. Thus, you can allow access to the premises, but you can also allow work on the computer or block unauthorized users from working on the computer.

For convenience, the "tablet" can be fixed on a keychain or pressed into a plastic shell.

Currently, these devices are widely used to control electromechanical locks (room doors, gates, entrance doors, etc.). However, their "computer" use is also quite effective.

All three listed groups of keys are passive in nature. They do not perform any active actions and do not participate in the authentication process, but only give the stored code. This is their main area.

Tokens have somewhat better wear resistance than magnetic cards.

Conclusion

Thus, the problem of protecting banking information is too serious for a bank to neglect it. Recently, a large number of cases of violation of the level of secrecy have been observed in domestic banks. An example is the appearance in the public domain of various databases on CD-ROMs about commercial companies and individuals. In theory, the legislative framework to ensure the protection of banking information exists in our country, but its application is far from perfect. So far, there have been no cases when a bank was punished for disclosing information, when any company was punished for attempting to obtain confidential information.

The protection of information in a bank is a complex task that cannot be solved only within the framework of banking programs. Effective implementation of security begins with the selection and configuration of operating systems and network system tools that support the operation of banking programs. Among the disciplinary means of ensuring protection, two areas should be distinguished: on the one hand, this is the minimum sufficient awareness of system users about the features of the system construction; on the other hand, the presence of multi-level means of user identification and control of their rights.

At different points in its development, ABS had different protection components. V Russian conditions In terms of the level of protection, most banking systems should be classified as systems of the first and second levels of protection complexity:

1st level - use of software tools provided by standard tools of operating systems and network programs;

2nd level - use of security software, information coding, access coding.

Summarizing all of the above, I came to the conclusion that working in the banking sector, you need to be sure that corporate and commercial information will remain closed. However, care should be taken not only to protect documentation and other production information, but also network settings and network operation parameters on the machine.

The task of protecting information in a bank is much tougher than in other organizations. The solution of such a problem involves the planning of organizational, systemic measures that provide protection. At the same time, when planning protection, one should observe a measure between the necessary level of protection and the level when protection begins to interfere with the normal work of personnel.

Annex 1

List of personnel of a typical ASOIB and the corresponding degree of risk from each of them:

1. Biggest risk: system controller and security administrator.

2. Increased risk: system operator, data entry and preparation operator, processing manager, system programmer.

3. Average risk: system engineer, software manager.

4. Limited Risk: application programmer, communication engineer or operator, database administrator, equipment engineer, peripheral equipment operator, system magnetic media librarian, user programmer, user operator.

5. Low Risk: peripheral equipment engineer, user magnetic media librarian, network user.

Rice. 1 magnetic card

Rice. 2 Proximity card

Rice. 4 Electronic tokens

Annex 2

Loss statistics for Visa and MasterCard
	Share in total losses, %
Seller fraud
Stolen cards
Fake cards
Changing the relief of the map
Lost cards
Misapplication
Phone Fraud
Mail forwarding fraud
Postal fraud
Theft during shipping
Collusion with the cardholder