Evaluating Security Provisions in Banking Software Systems Lakmal Chaminda Senanayake A thesis submitted to the graduate faculty of design and creative technologies Auckland University of Technology in fulfilment of the requirements for the degree of Master of Philosophy School of Engineering, Computer and Mathematical Sciences Auckland, New Zealand 2019 i Declaration I hereby declare that this submission is the result of my own work and that, to the best of my knowledge, contains no material previously published or written by another person. Due acknowledgement is given where references have been made. .......................................... Lakmal Chaminda Senanayake ii Acknowledgements This thesis was completed at the Auckland University of Technology, School of Engineering, Computing and Mathematical Sciences; Faculty of Design and Creative Technology. I would like to thank my family, friends and colleagues for their continued encouragement to push boundaries to attain a higher level of education and skills. I am most grateful to my supervisor Professor Brian Cusack Senior Lecturer, School of Engineering, Computing and Mathematical Sciences Faculty of Design and Creative Technology, Auckland University of Technology, for valuable guidance, useful suggestions and support in compiling this Research Report. This research would not have been possible without him. Also, thanks to my colleagues who took time out of their busy schedules to encourage me in this research. I also would like to thank to the Auckland University of Technology for giving me the opportunity of do this Master of Philosophy course and to the Faculty of Design and Creative Technology for providing me with all the materials and resources needed to accomplish it. Also, I would like to thank to all the staff members of the Library and the Faculty of Design and Creative Technology for attending to all my doubts and offering me their kind help. iii Abstract Banks around the world invest substantial amounts of money in banking software systems even though it is mostly the younger generation who are receptive, and the general public is slow to trust the new innovations. The mobile device platforms have created a great opportunity for the business of banking through the vast geographical coverage and reach to a global population. As a result, most banks have started introducing banking facilities through mobile applications. The ability for a user to carry out transactions such as real time payments is expected in the new generation of banking. Research shows that despite the systems availability there are only 40% mobile banking users in the case study of Sri Lanka banking. The concerns around security has been identified as the strongest reason which still encourages people to walk into banks to get their business done rather than accessing through mobile devices. As an IT professional, I would say that I belong to this segment of non-mobile users most of the time because the security threats are known and seen in abundance. During the last two years, well organized teams of criminals have repeatedly hacked banking systems internationally and they have exploited the weaknesses of the banking systems and the software systems integration. The weaknesses of the systems include issues with interoperability, susceptibility and backdoors in the internationally distributed software and also the general deficiencies in the applied knowledge for the essential features of security in the banking systems. Phishing has been the strongest and most public attack that continues to undermine confidence in the online and mobile banking systems. It is an attempt in gathering sensitive data by means of sending e-mails pretending to be from the actual bank to the recipients and requesting personal data such as passwords, usernames and credit-card information. They also request money transfers through indirect channels and confuse potential system users. Further it re-directs the network traffic to malicious websites, denying network traffic towards web-services and modify the mechanism of protection of the target banking system and the inter-connected networks. Successful attacks could result in financial losses, loss of identity and in un-authorized disclosure of information. In this research I collect and analyze publicly available secondary data of a hacking case, the affected people’s comments, systems information, published opinions, and my own critical reflection to build a case example. It gives knowledge for help in preventing and recovering from such attacks. The purpose of this case iv study is to review the Sri Lankan Banking systems and to identify possible vulnerabilities for improvement. Further the study critically analyses an experience of a Sri Lankan bank which faced a Phishing attack via online banking (All data used are public and secondary). This study brings out, how to deal with such a hazardous situation and to arrive at better defenses and post-attack responses. Chapter 4 itemizes the evidence from an investigation into the bank security breech and chapter 5 provides an analysis. Figures 5.1 to 5.3 summarize the learning from this incident. Additionally, secondary document analysis was used to investigate bank staff and bank customer experiences with phishing attacks and bank security procedures. It shows the Sri Lankan experience of phishing attacks via online banking, the users’ backgrounds and the role of education and communication in better preparing people to distinguish and resist attacks. The research analysed phishing through case studies that highlighted some of the experiences of phishing attacks and how to deal with the problems. An emphasis was placed the prior level of knowledge of Phishing threats, how they originated, and what methods were used in undermining the security of Online banking users. Further the bank response to the problem in deploying protection for Online banking to safeguard against such Phishing attacks is documented and recommendations made for improvement. v Table of Contents Declaration ................................................................................................................... i Acknowledgements ..................................................................................................... ii Abstract ...................................................................................................................... iii Table of Contents ......................................................................................................... v List of Figures ............................................................................................................. xi List of Tables............................................................................................................. xiii List of Abbreviations.................................................................................................. xv Chapter 1 Introduction 1.0 INTRODUCTION ................................................................................................. 1 1.1 THE SIGNIFICANCE OF THE STUDY. ............................................................. 2 1.1.1 Where is the phishing targeted? ....................................................................... 3 1.2 AIMS OF THE RESEARCH ................................................................................. 4 1.3 ORGANISATION OF THIS THESIS ................................................................... 5 Chapter 2 Literature Review 2.0 INTRODUCTION ................................................................................................. 6 2.1 BANKING SYSTEMS ......................................................................................... 6 2.1.1 Core Banking Systems (CBS) ......................................................................... 7 2.1.2 Core banking solutions ..................................................................................... 7 2.1.3 Core banking system key modules .................................................................. 9 2.1.4 Core banking architecture overview ............................................................. 12 2.2 BANKING SYSTEMS OF SERVICE ORIENTED ARCHITECTURE (SOA). 16 2.2.1 Cloud Computing impact ............................................................................... 17 2.2.2 Comparing Cloud Computing and SOA services .......................................... 19 2.2.3 Service-oriented architecture revolutionizing banking systems. ................... 19 2.2.4 SOA Integrating multiple channels ................................................................ 24 2.2.5 Simplifying the process account opening process with SOA ........................ 26 vi 2.2.6 Change through SOA ..................................................................................... 30 2.2.7 Benefits of SOA ............................................................................................. 31 2.3 TRANSFORMATION OF BANKS ARCHITECTURE TO NONBANKING SYSTEM .................................................................................................................... 33 2.3.1 A classification framework for non-banks ..................................................... 34 2.3.2 Non-banks and virtual currencies .................................................................. 41 2.4 EVALUATING SECURITY RISK IN BANKING SYSTEMS ......................... 42 2.4.1 Security risk in online banking systems .......................................................