Wednesday, December 24, 2008
Use SSL in IIS to protect the communication channel between your WCF enabled web application and the web client. SSL protects sensitive data on the network from being stolen or modified.
The following are the steps to configure certificates for Secure Sockets Layer (SSL) communication in IIS.
1. Click Start and then click Run.
2. In the Run dialog box, type inetmgr and then click OK.
3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
4. Right-click Default Web Site and then click Properties.
5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.
7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.
8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.
9. Verify the information on the certificate summary screen, and then click Next.
10. Click Finish to complete the certificate installation.
11. In the Default Web Site Properties dialog box, click OK.
Monday, December 22, 2008
How to Create a Temporary X.509 Certificate for Message Security
Use the following steps to create a temporary X.509 certificate for message security:
1. Create a certificate to act as your Root Certificate Authority
makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer
2. Create a Certificate Revocation List File from the Root Certificate
makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl
3. Install your Root Certificate Authority on the server and client machines. Use MMC to install the RootCATes.cer on client and server machines in the Trusted Root Certification Authorities store
4. Install the Certificate Revocation List file on the server and client machines. Use MMC to install the RootCATes.crl on client and server machines in the Trusted Root Certification Authorities
5. Create and install your temporary service certificate
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer –sr localmachine -ss my -sky exchange -pe
6. Give the WCF Process Identity Access to the Temporary Certificate’s Private Key
7. FindPrivateKey.exe My LocalMachine -n "CN=tempCert"
cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\
/E /G "NT AUTHORITY\NETWORK SERVICE":R
The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey
Wednesday, December 17, 2008
Enquotes a string literal
Encloses a name in double quotes
Returns the value without any checking
Verifies that the input string is a qualified SQL name
Verifies that the input string is an existing schema name
Verifies that the input string is a simple SQL name
Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object
It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.
Ensuring safety of Datetime literal
- Use the two-parameter overload, for an input of datatype date, To_Char(d, Fmt), to compose a SQL datetime literal
- Concatenate one single quote character before the start of this value and one single quote character after its end.
- Assert that the result is safe with DBMS_Assert.Enquote_Literal().
- Compose the date predicate in the SQL statement using the two-parameter overload for To_Date(t, Fmt) and using the identical value for Fmt as was used to compose t.
The procedure p_Safe(), whose first few lines are shown in code below implements this approach. Of course, date is not the only datetime datatype. The same reasoning applies for, for example, a timestamp literal.
procedure p_Safe(d in date) is
q constant varchar2(1) := '''';
-- Choose precision according to purpose.
Fmt constant varchar2(32767) := 'J hh24:mi:ss';
Safe_Date_Literal constant varchar2(32767) :=
Fmt_Literal constant varchar2(32767) := q||Fmt||q;
Safe_Stmt constant varchar2(32767) :=
' insert into t(d) values(To_Date('
|| ', '
execute immediate Safe_Stmt;
Ensuring the safety of a SQL text literal
The rules for composing a safe SQL text literal from a PL/SQL text value:
- Replace each singleton occurrence, within the PL/SQL text value, of the single quote character with two consecutive single quote characters.
- Concatenate one single quote character before the start of the value and one single quote character after the end of the value.
- Assert that the result is safe with DBMS_Assert.Enquote_Literal()
Ensuring the safety of a SQL numeric literal or simple SQL name
The rules for composing a safe SQL numeric literal from a PL/SQL numeric value:
- Use explicit conversion with the To_Char() overload with three formal parameters. This overload requires that a value be supplied for Fmt. Explicitly provide the value that supplies the default when the overload with one formal parameter is used. This is 'TM'. 'TM' is the so-called text minimum number format model. It returns the smallest number of characters possible in fixed notation unless the output exceeds 64 characters.
- Explicitly provide the value that supplies the default for the NLS_Numeric_Characters parameter when the one of the overloads with one or two formal parameters is used. This is '.,'.
- Ensure the safety of the name with DBMS_Assert.Simple_Sql_Name().
Tuesday, December 16, 2008
Use the following steps to determine WCF configuration for a NAT or firewall:
1. Determine the addressability of the service and client machines. If the service or the client are behind a NAT and are not directly addressable then use a technology such as Microsoft Teredo to enable communication.
2. Determine if there are protocol or port constraints on the service or client machines. For example, port 80 may be open through a firewall but other ports may be blocked.
Once you understand the addressability, protocol and port constraints on your service and its clients you can determine service and endpoint configuration. Use the table in the MSDN article “Working with NATS and Firewalls” at http://msdn.microsoft.com/en-us/library/ms731948.aspx to determine the best configuration for your scenario.
This is the first of it's kind Pan India group.The group will organize regular boot camps , on-line solution challenge contests, pod casts , sharing of white papers and articles amongst members.
You can also join the group on linkedin>groups>solutionscommunity
Presentations of First Boot Camp Organized can be found at links below:
Monday, December 15, 2008
- If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.
- If the user must enter a password, protect the password by specifying either
to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.
Monday, November 24, 2008
When using non-windows authentication like Certificate Authentication or username authentication, if you need to impersonate the original caller (if it has windows account) or a service account you have following 2 options
1. Using the S4U Kerberos extensions - For this you must grant your process account the "Act as part of the operating system" user right.
2. Using the LogonUser windows API - this needs to have access to the user credentials (username and password) - which increases the security risk of maintaining the user credentials in WCF Service.
Note: S4U Kerberos extensions places your process within the trusted computing base (TCB) of the Web server, which makes your Web server process very highly privileged. Where possible, you should avoid this approach because an attacker who manages to inject code and compromise your Web application will have unrestricted capabilities on the local computer.
Tuesday, November 18, 2008
If you want block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false.
If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service.
To stop your clients from referencing your service, stop your service from publishing its metadata. To do this, remove all the Mex endpoints from your service configuration and configure HttpGetEnabled and HttpsGetEnabled to false in the ServiceBehavior section as shown below:
serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"
Saturday, September 27, 2008
If you wonder “What makes secure software different?” you would realize that security is an innate property of the software which was expected to be built in. Unfortunately, most of applications lack security today. The traditional practices used to develop outsourced applications are no more effective. Even the Indian IT services companies lag in improvising their SDLC at the same pace with the global industry. One of the weakest areas where these companies fall is Software Security. Current business environment is fraught with risks. The applications demand tight software security embedded inside to prevent hackers getting in. To incorporate software security measures, enterprises need to change their existing application development lifecycle.
The current scenario is such that many companies to an extent have started addressing security earlier in the lifecycle to mitigate the risks of application security attacks. But, there is still room for improvement. The application security landscape is changing rapidly.
Customers outsourcing applications need to ensure the application development lifecycle of the IT services provider embark software security inline. The IT services companies on the other hand need to develop confidence in the customer for software security levels in their SDLC.
Maintaining a high level of security is no simple proposition. One of the key issues with outsourced applications is that unlike functional concerns, non-functional concerns of application like security and performance are always given lower priority. If the services companies fail to understand the importance of these non-functional factors, the customer is at loss. At the end, if these security defects are injected due to lack of measures taken during SDLC, it may destroy customer value and trust.
Growing Demand of Moving Security Higher in SDLC
Application Security has emerged as a key component in overall enterprise defense strategy. Companies that build a strong line of defense usually learn to think like an attacker. Often is a developer is asked to wear two hats: one as developer that works in complex distributed environments, and the other as a security expert who builds software security. Organizations that understand application security practices and priorities are using resources far more effectively than in years past, while avoiding costly and potentially crippling problems.
In the years past, anti-virus software, firewalls, intrusion detection and intrusion prevention systems have been successful enough to protect network and hosts. While still the bulk of attacks happen at network layer, attackers have been successful compromising the application with lower ratio of making applications as targets. The industry reports of organization suffering application attacks with significant downtime in the application or loss of customer data. Financial institutions, Healthcare providers, Retailers, Telecom Industry or even IT Companies have not been able to get escaped from becoming a victim of application attacks. The impact of these attacks have been damage to their brand name, loss in revenue, loss of customer data, system or network downtime and even legal issues with compliance to PCI (Payment Card Industry) or SOX (Sarbanes-Oxley) standards.
In the current world, software security assurance needs to be addressed holistically and systematically in the same way as quality and safety. Most of the assurance can be driven by improved software development practices. It is also important to realize that the security cost factor increases as you move down the SDLC.
Sunday, September 07, 2008
Saturday, September 06, 2008
Friday, August 08, 2008
The OWASP Foundation ( www.owasp.org) has posted their final speaker selection for their upcoming conference in New York City. The conference will take place September 22nd - 25th, downtown at Pace University, located at One Pace Plaza.This application security world conference will be the largest OWASP conference ever. The Keynote Speakers for this event will include Howard A. Schmidt, Former White House Cyber Security Advisor, Joe Jarzombek, the Director for Software Assurance in the Department of Homeland Security (DHS), and Jeff Williams, Chairman of the OWASP Foundation. Jeremiah Grossman, Robert "RSnake" Hansen, along with many other well known application security pioneers, will present new research, findings and solutions. This conference is limited to only 1,000 attendees, so reserve your spot immediately.
The OWASP conference is focused on making educators, developers, managers and security professionals aware of the new techniques in Hacking, BotNet and management of the Software Development Lifecycle (SDLC) that are critical for industry standards and regulations such as PCI, ISO, GLBA, SOX, HIPAA and FISMA.
"New York City is the epicenter of the World Financial Industry. This makes it a prime target for attackers and the best place to hold the OWASP Conference. OWASP's contributors are focused on making people aware of the tools and techniques that hackers are using to make Cyber-Crime a multi-billion dollar a year industry," said Tom Brennan, OWASP Foundation Board Member and NYC Conference Organizer.
The conference is sponsored by many industry leading companies such as Imperva, IBM, WhiteHat Security, Cenzic, ISC(2), F5, Breach, Foundstone, Acunetix, AccessIT, Artec, Airtight, Art of Defense & Security University, just to name a few that will also be on exhibit.Proceeds from OWASP conferences and their sponsors help fund many projects and grants, including industry leading publications as the OWASP Top-10, OWASP Development Guide, Testing Guide & Code Review Guides.
Wednesday, July 16, 2008
McAfee Reports Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.
We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site - monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”
But please do not be fooled! These are not from Monster at all!!
The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.
The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!
Tuesday, June 10, 2008
Any idea what is there inside the 'System Volume Information' folder there? Well, windows indeed stores a lot of information that is required to be protected there and all the windows restore points are also present in this folder.
Now, security doesn't seem to have covered at all the places in windows. What happens is the path inside System Volume Information is protected by a folder structure which is not easy to guess.
The flaw lies in Windows Defragmentation.
Windows Defragmentation does not hide the fragmented files present in System Volume Information folder. If the folder structure is revealed here, you get access to lot more sensitive information. This includes windows registry, SAM files, etc.
So, if I save this report and view the actual path inside the System Volume Information,
I use this path to get inside System Volume Information folder using explorer and I now have the access to "protected" files like SAM file and lots of other information.
Sunday, June 01, 2008
This comes as 101st Post for this blog and I thought to compile list of most popular posts I have had here on the blog.
Credits to Google Analytics for the stats. :)
Here goes the list:
Virtualization : Is it Secure?
Big B Watching or Is this Intrusion of Privacy?
How to Build Secure Software
Free Web Proxy List
Hacking Web Applications – Truly Simple
Using IT to Combat Money Laundering
Westside in Mumbai stores your credit card numbers..
Get into pay sites for free as a Googlebot
Thick Client Application Security
Guarding Against Credit Card Frauds
Can Security be incorporated in the Computer Science & IT courses?
Security Concerns in Web 2.0
Managing Account Lockout
Clear Text Secrets
Mitigating XSS Attacks in ASP.NET Apps
SQL Injection in Stored Procedure
You can be arrested for using free Wi-Fi
Using Google to View MySpace or Any Restricted Site
Online Banking Security
Web Services Design Security Considerations
Perspective of Performance and Security in IT
Design Considerations for Security
Download everything from Microsoft without WGA Check
What is STRIDE
The weakest link in the security chain? You
Information Systems Security Assessment Framework (ISSAF)
ASP.NET __VIEWSTATE issues
Thursday, May 29, 2008
Users may not be totally aware of the security risks, risks to the mission, and vulnerabilities associated with their system.
Commonly Used Techniques for Capturing Security Requirements can be broadly categorized as a top-down or a bottom-up analysis of possible security failures that could cause risk to the organization.
1. Fault Tree: Analysis for security is a top-down approach to identifying vulnerabilities. In a fault tree, the attacker’s goal is placed at the top of the tree. Then, the analyst documents possible alternatives for achieving that attacker goal. For each alternative, the analyst may recursively add precursor alternatives for achieving the subgoals that compose the main attacker goal. This process is repeated for each attacker goal. By examining the lowest level nodes of the resulting attack tree, the analyst can then identify all possible techniques for violating the system’s security; preventions for these techniques could then be specified as security requirements for the system.
2. Failure Modes and Effects Analysis (FMEA) is a bottom-up approach for analyzing possible security failures. The consequences of a simultaneous failure of all existing or planned security protection mechanisms are documented, and the impact of each failure on the system’s mission and stakeholders is traced.
Other techniques for developing system security requirements include threat modeling and misuse and abuse cases.
Monday, April 28, 2008
What amuses me is that the situation can be much better improved by integrating the basic security mantras in the graduate programs of Computer Science and Information Technology courses. The engineering courses for Computer Science and Information Technology at least can be sought to have the security touch points to enable the fresh candidates understand security implications while building software.
Currently, most security efforts at the university courses are in the form of specialized security classes which address particular topics in form of network security or cryptography. In contrast to the integrated approach currently being used in industry, education continues to handle security as an afterthought.
Something that everyone in the engineering courses would have learnt would be Database Management Systems (DBMS) and Web Technologies. Let’s take an example, we were taught that writing stored procedures are better compared to writing dynamic SQL because they are pre-compiled and hence better in terms of software performance. But we were not taught that stored procedures also helps protect you from a security threat called SQL Injection which is one of the most common attack.
My proposal is to plot security in the engineering curriculum with core courses. It just requires infusion as a subset in the main subjects. The concept of robust programming is native to secure coding. It is imperative to teach students that safe and reliable programs are inherently more secure.
The classic Software Development Lifecycle (SDLC) includes analysis, design, implementation, testing, and maintenance. Incorporating security into the SDLC yields the Secure Development Lifecycle. The touch points in the course should be Security Requirements and Analysis, Security Design, Security Implementation and Security Testing. Something that is fundamental to software programming and security assurance becomes the security coding mantras. A few are mentioned below.
• Principle of Defense in Depth
• Principle of Least Privilege
• Do not trust any user input
• By default Deny
• Assume the Impossible
• Graceful degradation on error
The idea is to make students aware of these small mantras while learning software programming. These small changes make a huge impact on the student who enters the industry and is already aware of security best practices if not all the attacks. It makes a great value add for the organizations too to hire a candidate with basic security knowledge. The ability to write secure code should be a fundamental to a university computer science as basic literacy. I am sure that the industry will also appreciate if the universities accept these changing demands.
Technical Analyst, Mastek
Tuesday, April 08, 2008
The emerging attacks by attackers which is dynamically changing each time a potential victim visits the malicious page is defying the traditional regular-expression and heuristic-based protection that identifies Web exploits at the network or host.
The attacker are very effective in creating a unique exploit with each request and making it impossible for signature-based protection engines to uniquely detect each attack instance.
The major driving factor for the attacker still remains Financial gain. Stealing personal data, hijacking Web transactions, executing phishing scams and perpetrating corporate espionage
are all motivators.
Traditional security techniques focus on stopping file execution and viruses at the client’s operating system (OS) layer. Unfortunately, it is far more difficult to protect users at the browser level. While some signature-based protection is able to detect one layer of Web exploit obfuscation, polymorphic exploitation will pose a new problem.
Proposed countermeasures for Web 2.0 and client side attacks include:
• Educating Web developers on the need for secure coding throughout the development lifecycle, with emphasis on input validation.
• Transitioning from finger-print or pattern matching protection to heuristics or behavior-based protection.
• Utilizing feedback networks to analyze malicious Web sites, encourage remediation and improve content filtering at the browser level.
Friday, April 04, 2008
Most of you in the world of Web Application Security would have heard about Burp, Paros, WebScarab and other proxy tools to intercept the web (HTTP/HTTPS) requests and able to fiddle around with the parameters.
Going beyond the normal web request proxy tools to intercept the request and fiddle around, what tools do we use to intercept Thick Client Applications?
I have come across the tools like
Saturday, March 22, 2008
OWASP is now launching the Summer of Code 2008 (SoC 2008)
- The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
- The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
- The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. The mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.
- The only requirement is that the candidate shows the potential to accomplish the project's objectives/deliveries and the commitment to dedicate the time required to complete it in the appropriate period.
Friday, March 21, 2008
If we recall the attacks few years back, we see that most of the organizations including NASA, CIA and Yahoo were attacked. These attacks were mostly at network layer of the corporate systems. The network layer is now very secure and hackers find it difficult if not impossible to attack at the network layer. Today, applications are the target. Attackers steal credit card numbers from bank site and an intruder breaks into a corporate application stealing sensitive employee information. Hackers use the application sitting behind the strong firewall and use a loop hole in the application to access corporate and customer data. As the industry embraces the benefits of e-business, the use of Web based technologies will continue to grow. However, as these technologies evolve, the vulnerabilities are being discovered at a similar rate. Secure implementation of these technologies cannot be achieved without a consistent approach to Web Application Security. Also the convergence of regulatory demands for application security with an increasingly security-savvy software buyer is driving a serious impetus for change.
Whether a security breach is made public or confined internally, the fact that a hacker has broken into your online assets should be a huge concern to organizations. Quite a large number of organizations are reactive to security incidents, pretending that the problem will go away. They respond with short-term fixes and the problems re-emerge rapidly. They fail to recognize the value of information and company reputation as opposed to cost of addressing security vulnerabilities.
Unlike certain worms and viruses that exploit the network security weaknesses, web application attacks go after flaws in the application itself. For example, an attacker could tamper with a part of HTTP request and use buffer overflows to corrupt an application by having it execute arbitrary code. In this way, an attacker could take control of the web or application server.
Ahh! We have a very strong password policy. But are passwords sufficient? Passwords are only as trustworthy as the people using them. If you rely on passwords to protect your online assets, then you are relying entirely on the people logging in and out. Let’s just draw a real world example. With popularity of social networking sites like www.orkut.com, we find thousands of people listing down their organization name and their work profile in public. What’s more concerning is they also list their family members with information of names and ages of their children. There is very high probability that a hacker may be able to find out a person’s password from the above information and get inside the organization’s defenses very quickly. Passwords are not sufficient to provide security to your online applications.
Does your firewall protect online assets? The traditional function of a firewall is to regulate the ports and services running on the server. Web applications by and large use port 80; and the firewall keeps this port open. This is the gold spot for the attackers. The beauty of application attack lies in sneaking through your firewall and use the application itself to break it. Firewalls cannot protect you from this happening.
With hacking tools being readily available and the complexity of attacking decreasing, it is relatively easy to find flaws in an application. A hacker could easily change the hidden fields of an online shopping site indicating price and smartly walk away without paying money. This is largely because while building applications, some of the most basic security measures, to keep information secure, were ignored. The cost of poor application security can be far greater than most organizations can imagine.
Organizations must take a proactive approach in protecting their critical web applications. The need lies in understanding how important application security is in the software development cycle. Application security must align as early as during requirement gathering, making way in secure design, development and deployment.
We are witnessing the emergence of more security-savvy buyer of software asking questions about the security practices and those are having a big impact on purchase decision. In long run, these companies will surely enjoy a higher return on investment.
Wednesday, February 20, 2008
Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine.
Tavis Ormandy working with Google Inc., investigated this topic and presented a paper at CanSecWest on a number of ways that an attacker could break out of a virtual machine.
Most of the attacks identified were flaws, such as buffer overflows, in emulated hardware devices. One example of this is missing bounds checking in bitblt routines, which are used for moving rectangular blocks of data around the display. If exploited, by specifying pathological parameters for the operation, this could lead to an attacker compromising the virtual machine process.
While you would typically require root (or equivalent) privileges in the guest to interact with a device at the low level required, device drivers will often offload the parameter checking required onto the hardware, so in theory an unprivileged attacker could be able to access flaws like this by simply interacting with the regular API or system call interface provided by the guest operating system.
- Learn to recognize and avoid phishing. The Anti-Phishing Working Group has a good list of recommendations.
- Update your software regularly and run an anti-virus program. If a cyber-criminal gains control of your computer through a virus or a software security flaw, he doesn't need to resort to phishing to steal your information.
- Use different passwords on different sites and change them periodically. Phishers routinely try to log in to high-value targets, like online banking sites, with the passwords they steal for lower-value sites, like webmail and social networking services.
Tuesday, February 12, 2008
Financial Institutions and Banking Institutions are amongst the most vulnerable to Money Laundering as illegal money enters the economy via banks in the form of large cash deposits or illicit financial transactions.
Money Laundering typically has 3 main phases – Placement, Layering and Integration. The common methods used in each of these phases are mentioned below:
1. Placement Stage: This prefers to the physical disposal of bulk cash proceeds derived from illegal activity.
a. Cash paid into bank (mostly with staff involvement or mixed with proceeds of legitimate business.
b. Cash used to purchase high value goods, property or business assets.
c. Cash being exported.
2. Layering Stage: This refers to the separation of illegal entrance of money from their source by creating complex layers of financial transactions. Layering conceals the audit trail and provides anonymity.
a. Several bank to bank transfers
b. e-transactions between different accounts in different names in different countries
c. Changing money’s currency
d. Resale of goods or assets
3. Integration Stage: This refers to the reinjection of the laundered proceeds back into the economy in such a way that they re-enter the financial system as normal business funds.
a. False loan payments
b. Forged invoices used as cover
c. Presenting income from property or legitimate business assets to appear clean
Using Information Technology to combat Money Laundering
While money laundering techniques are becoming sophisticated, so is the technology used to fight it. IT systems cannot be viewed as perfect solutions for Anti-Money Laundering techniques, but current packages have following to offer. Use of these packages enables banks to know and understand their customers and their financial dealings to help them manage risks prudently.
1. Competent for Name Analysis
2. Offer case based account documentation acceptance and rectification
3. Assess Money Laundering Risks at both Account and Customer levels
4. Rules-based systems
5. Include Statistical and Profiling engines for monitoring customers
6. Use Neural Networks and Link Analysis to detect frauds
7. Time sequence matching to prevent Hawala cases
8. Can monitoring transactions for suspicious activity
9. Helps ensure compliance to Banking or Financial standards for Anti Money Laundering
10. Investigation Tools
Effect On Our Economy
Money laundering is one of the ongoing problems facing the international economy. The economic effects are on a broader scale. Developing countries often bear the brunt of modern money laundering because the governments are still in the process of establishing regulations for their newly privatized financial sectors. There is also a growing realization about the extent that money laundering and its relationship with organized crime are interlinked.
The huge profits that accrue to these criminals from areas such as drug trafficking, international fraud, arms dealing, trafficking in human organs, will be used not only to facilitate ongoing operations, but to consolidate the wealth, prestige and respectability of those in control of the criminal business.
Hawala transactions have a huge impact on the economy. Various commercial activities get influenced. In fact, the price of land has been spiraling due to the activities of this mafia. The root of the problem can be traced to the policies of Government both at the Centre and the State. Inflation, rise in the land prices and circulation of black money are among the effect of money laundering methods circulating in the system. If left uncontrolled, it would lead to creation of a parallel economy which will destabilize our country. These artificially created inflated financial sectors create errors in economic policies. Massive influxes of dirty cash into particular areas of the economy that are desirable to money launderers create false demand, and officials act on this new demand by adjusting economic policy.
Issues on a local scale relate to taxation and small-business competition. Money from illegal activity is often untaxed which means the rest of us ultimately have to make up the loss in tax revenue. Also, legitimate small businesses can't compete with money-laundering front businesses that can afford to sell a product for cheaper because their primary purpose is to clean money, not turn a profit.
Money Laundering is a major concern because of its scale, its capacity to exploit and influence the legitimate business world and its capacity for internationalization. These concerns have led to concerted international action for a solution to combat this growing menace called Money Laundering.
Tuesday, January 29, 2008
Let me bring up few ways in which these frauds happen. By and large for physical credit card transactions, the deception story starts when the person who takes your card for swipe copies your card information to some other device. Later these details are copied to fake cards which are genuine card look alike with complete hologram markings and logos. The poor card holder remains completely unaware that his card has been cloned until he notices bill amounts of things he has never purchased. One of the other common methods is making a hoax call (often representing as card issuer authority) to the card holder and trying to retrieve card details. Credit card bills lying in trash cans or public places are other avenues where fraud originates.
Regarding users using cards for online transactions, one can see a large number of ways in which card data can be compromised. Falling in prey of a nice email asking for card details in return of discounts, or emailing card details to a friend or being a victim of card details being copied by an illegal software installed in cyber cafes are most common lines of attack sources.
One of the reasons in increasing successful frauds is inadequate knowledge of the card owner on proper use of credit cards. Here’s how credit card owners can better safeguard from these frauds.
• Over a credit card transaction, keep an eye on your card as it is being swiped. Make sure it is being swiped only once for a single successful transaction and get back your card as quickly as possible.
• Sign your credit card as soon as you receive it.
• Be protective of your credit card number so that others around you can't copy it or capture it on a cell phone or camera.
• Be prompt in keeping a check on your credit card bills to verify there are no bogus charges. For any charges that you don’t recognize, report these charges promptly to the card issuer.
• For people using cards at hotels or restaurants, remember to draw a line through blank portions of the receipt where additional charges could be fraudulently added other than hotel tips.
• In case of change of your billing address, notify your credit card issuers in advance so that bills reach safe hands.
• Save your receipts so you can compare them with your monthly bills.
• Always give your phone number to the company for verification of suspicious transactions.
• Be wary of any phone call or email seeking details of your account.
• Never give away photocopies of both sides of your credit card for any purpose.
• For online transactions, using credit card, remember to go by HTTPS and not HTTP.
• Avoid having e-transactions in a publicly share machine like Internet café or open free wireless network.
Wednesday, January 09, 2008
Banks today are increasingly getting introduced to a number of security threats. The ones in headlines have been Phishing, Key Logging and Man-in-the-Middle. We will find a number of online banking users who are naïve to this kind of technology and the threats associated with it. It is necessary to help them understand the precautions they must take to prevent being a victim of online theft.
Consumer education becomes a key element to prevent the manifestation of a number of risks into frauds. It is much easier for the experienced eyes of an internet-savvy user to detect potential phishing attempts when compared with a customer who has recently migrated from old school of banking to more recent modes.
On a happy note, there are solutions in the market to tackle problems of phishing, key loggers and man-in-the-middle attacks. But these are expensive solutions and not full proof.
Business Security Buy-In: Given the customer base or other reasons, it has not been easy for the banks to justify investing in secure solutions for online banking. In fact, many banks are willing to compensate for the fraud losses of the customers as they find it more cost effective than putting up a secure solution.
Security Challenges: Banks have to continuously evaluate the risks, cost of technology solutions and even upgradations. .It gets all the more challenging due to a variety of technological solutions available in the market, each addressing individual problems but none offering a one-stop solution.
Tuesday, January 08, 2008
Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter. If the intended website is "example.com"
- A common misspelling, or foreign language spelling, of the intended site: exemple.com
- A misspelling based on typing errors: xample.com or exxample.com
- A differently phrased domain name: examples.com
- A different top-level domain: example.org