Prevention of Computer Crimes in Banking
Applying the modern technical means of the information security has become the significant element of the computer crime prevention in banking (prevention implies the access restriction or the use of the whole computer system or just part of it) . The Regulations about technical information security in Ukraine indicates that technical information security with the restricted access in the automated systems and means of computer engineering is directed on preventing the disturbance of data integrity with the restricted access and its leaking in the way of :
- unauthorized access
- intaking and analyzing the collateral electromagnetic radiations and inducing
- the use of the layning devices
- the implementation of computer viruses and other ways of disturbance.
The engineering information security with restricted access in the automated systems and means of computer engineering meant for forming, transferring, accepting, transforming, displaying and keeping some information is provided with a complex of designer, organizational, programme and engineering measures at all stages of their creation and their work.
The main methods and means of engineering information security with the restricted access in the automated systems and means of computer engineering are:
- the use of protected equipment
- the regulation of users’ work, operating personnel, software, elements of databases and information carriers with the restricted access (access delimitation)
- the regulation of the architecture of automated systems and means of computer engineering
- technical and engineering equipping of rooms and communications meant for exploitation of the automated systems and means of computer engineering
- the search for layning devices, their revealing and blocking .
These measures can play serious generally preventive role in the fight with computer crimes at their skilful and comprehensive use.
Taking into consideration the fact that the problem dealing with computer criminality and its preventive measures in banking in our country has been studied only since 90 years, and in some foreign countries this problem has been studied for a long time, we should learn the broad experience of these countries and put it into the domestic practice taking into account the acting normative and legal basis of Ukraine.
There are main means of information security: physical measures, hardware means, software means, hardware and software means, cryptographic and organizational methods.
The physical means of protection are the measures which are necessary for outer protection of a computer, the territory and the objects on the basis of computer engineering which are specially meant for creating the physical obstacles on possible ways of penetration and access of the potential infringes to the components of information systems and data which are under protection. The simplest and reliable method of information security from the threats of the unauthorized access is the regime of the independent use of a computer by one user in a specially meant room in the absence of unauthorized persons. In this case the specially set room plays the role of an exclusive circle of protection, and the physical security is windows, walls, a floor, a ceiling, a door. If the wall, the ceiling, the floor and the door are substantial, the floor has no hatches adjoining to other rooms, the windows and the door are supplied with a signaling system, then the stability of security will depend on the performance specification of a signaling system in the user’s absence in the off time.
In the working time when a computer is on , the leak of information is possible through the channels of adjacent electromagnetic radiation. To prevent such a threat a special examination of means (a computer itself) and devices of electronic computer machinery (ÅCM) (a computer in a room specially marked out ) is carried out. This examination implies is a certification procedure and categorization of means and devices of ÅCM with issuing the corresponding operating permit. Moreover, the door of the room must be supplied with the mechanical or electromechanical lock. In some cases if there is no signaling system and the computer user is absent during a long period it is desirable to keep a system block and the machine information carriers in the safe to provide better safety . The use of a hardware password in the input/output system of BIOS in some computers, which disables loading and operating ECM, does not provide proper security against the threats of the unauthorized access , for the hardware element of the BIOS-carrier of a password can be substituted for another one alike in the absence of the mechanical lock on case of the system block and the absence of a user , as the clusters (blocks) of BIOS are unified and they have the certain password data. For this reason the mechanical lock disabling the process of a computer switching on and its loading is the most effective measure in this case.
To provide security against the leakage the specialists suggest the mechanical attaching of a computer to the user’s table. Meanwhile it is necessary to keep in mind that in the absence of a signaling system ensuring constant access control to the room or to the safe the reliability of locks and attachments must be of the kind that the time the infringe needs to force them would not exceed the period when the computer user’s will be absent. If this kind of security is not provided, the signaling system is required without fail .
The range of modern physical security means is very wide. This group of security means also includes various means of screening the workrooms and the data transmission channels.
The hardware means of security are various electronic, mechanical and electronic means and other system devices which are embedded in the serial blocks of electronic systems of data processing and data transferring to provide internal security of computer facilities: terminals, devices of data input and output, processors, transmission links, etc.
The main functions of hardware means of security are :
- the inhibition of the unauthorized remote access to the distant user
- the inhibition of the unauthorized remote access to the databases as a result of the casual or intentional activity of staff
- the protection of the software integrity.
These functions are carried out in the way of :
- identification of the subjects (users, maintenance staff ) and the objects (resources) of a system
- authentication of the subject in accordance with the given identifier
- inspection of authorities which implies checking the permit for certain kinds of work
- registration (logging) with reference to the forbidden resources
- registration of the attempts of unauthorized access .
The implementation of these functions is carried out with the help of applying various engineering devices of special-purpose. In particular, they include:
- the emitters supplying uninterrupted power of hardware, and also the device of equalization which prevents the spasmodic voltage drop and voltage crests in the transmission network
- the devices of hardware screening , transmission links and accommodations where the computer machinery is located
- the devices of identification and commit of terminals and users when fulfilling the unauthorized access to a computer web
- the protection means of computer ports , etc.
The protection means of ports have some protective functions, in particular:
1) «a comparison of the code ». The computer of port security verifies the code of the authorized users with the code required
2) «a disguise». Some means of ports protection disguise the existence of ports on the line of a telephone link in the way of synthesizing a human voice which answers the calls of the viewer
3) «a counter-bell ». In the memory of a means of ports protection not only access codes but also identification telephone numbers are kept
4) input of the automatic «electronic record» of access to the computer system with fixing the main user’s operations .
Software security means are necessary to accomplish logical and intellectual functions of security which embedded in the software tools of the system.
There are some aims of the safety which are realized with the help of software security means:
- check of the loading and login with the help of a password system
- delimitation and check of access rights to the system resources , terminals, exterior lives, constant and temporary data sets, etc
- file protection from viruses
- automatic control of users’ operations in the way of logging their activity.
The hardware and software security means are the means, which are based on the synthesis of program and hardware means. These means are widely used in authentication of users of the automated banking systems. Authentication is the inspection of the user’s identifier before its access to the system resource.
The hardware and software safety means are also used at overlaying electronic and digital signatures of the accountable users. The use of smart cards containing passwords and users’ codes are widespread in the automated banking systems .
The organizational security means of the computer information make up the set of measures concerning staff recruitment, inspection and training of the staff which participate in all stages of information process.
The analysis of the materials of criminal cases leads to the conclusion that the main reasons and conditions which make for committing computer crimes are mainly the following:
- the absence of attending personnel’s activity control, which helps a criminal use a computer freely as the instrument of crime
- a low level of the software which has no reference security and does not ensure the inspection of conformity and accuracy of the information
- the imperfection of a password security system from the unauthorized access to a workstation or its software which does not provide authentic identification of a user according to individual biometrics parameters
- the absence of strict approach to the employees’ access to the secret information, etc.
The experience of foreign countries testifies that the most effective security of information systems is bringing in the position of the specialist on computer safety or creating a special services, both private and centralized ones depending on a particular situation. The availability of such a department (service) in a bank system according to the foreign specialists decreases two-fold the undertaking of crimes in the sphere of computer technologies .
According to the legislation of Ukraine, in the state establishments and companies they can create subdivisions, services which arrange the work connected with information security , with keeping the level of information security in the automated systems and which bear responsibility for the efficiency of information security . It is worth mentioning that this norm by nature is not imperative (obligatory) but advisable. As appears from above said along with the Law «About the information security in the automated systems » the information security in the automated systems is the obligatory function, meanwhile it is not obligatory to create a separate functional organizational structure on this function. This function can be a component of another organizational structure that is it can be carried out along with other functions.
In opinion of such native specialists as Bilenchuk P.D. and Golubev V.O., the creation of special structures is obligatory for credit and financial establishments and some bodies (banks of commerce, concerns, companies, etc.). They must have specially created departments of computer safety within the framework of acting services of economical safety and physical security whose activity should be supervised with one official specially appointed for these purposes that is the deputy of the security chief who has corresponding human, financial and engineering resources in his disposal to solve the problems put by.
Duties of such persons (structural subdivisions) should include, first of all, such organizational measures as:
1) supply of the support on the part of administration of particular enterprise of the requirements for computer equipment security
2) working out the complex plan of information security
3) defining the priority-driven directions of information security taking into consideration peculiarities of the company’s activity
4) making the general estimate of expenditures of financing the security measures according to the settled plan (item 2) and its approval as a supplement to the plan of ruling by the company
5) defining the responsibility of the employees ot the enterprise for the information safety within the scope of fixed competence by concluding a treaty between an employee and the administration
6) working out, implementing and control of following different kinds of operating instructions, rules and orders which regulate the access forms, levels of the information privacy, particular persons enabled to work with secret (confidential) data, etc.
7) working out the effective measures of fight with the infringes of computer equipment security .
The reliable means of effectiveness increase of computer equipment safety is training and instructing of the working staff as for the organizational and engineering measures of security which one are applied in a particular enterprise.
Moreover, such organizational measures are necessarily to carry out:
1) it is necessary to determine the access categories for all persons who have the right of access to the computer equipment, that is the circle of official interests of each person, kinds of information which he has the right of access to, and also the kind of such a permit, powers of an official who is authorized to accomplish these or those manipulations with the computer equipment facilities
2) it is necessary to determine the administrative responsibility for keeping and authorization of access to information resources.And with all this some particular official should be responsible for every kind of resources
3) to settle the periodic system control of the quality of information security in the way of accomplishing scheduled tasks by a person responsible for safety as well as in the way of involving of the competent specialists (experts) from other enterprises
4) to make the classification of the information according to its importance, to differentiate the means of security on its basis, to define the order of information security and its obliterating
5) to provide the physical security of the computer equipment facilities (physical protection) .
Cryptographic methods of security.
To protect the information while being transmitted they usually use different methods of data encoding before their input to the transmission link or to the physical carrier with the following decoding. The methods of ciphering enable to protect the computer information from the criminal trespasses rather safely.
Applying the cryptographic security that is the encoding of the text with the help of complex mathematical algorithms, has become more and more popular. Certainly, any of encryption algorithms does not give an uttermost warranty of security from the malefactors but some methods of encoding are so complex that it is practically impossible to acquaint with the contents of the encoded messages .
The basic cryptographic methods of security:
- encoding by means of pseudo-random numbers sensor, which is generating of the cipher gamma with the help of the pseudo-random numbers sensor applying to the open data taking into account the reversibility of the process
- encoding with the help of cryptographic standards of data enciphering (with the symmetrical schema of ciphering) based on using checked and tested algorithms of data encoding with large cryptocapability
- encoding with the help of a pair of keys (with an asymmetric ciphering system ) where one key is open and it is used for encoding of the information, the second one is enclosed and it is used for decoding the information.
The cryptographic methods of the information security are widely used in automated banking systems and carried out in the way of hardware, program or soft-hardware methods of security. Using the method of ciphering of the messages along with proper arrangement of communication facilities, proper procedures of the user’s identification it is possible to achieve a high level of information interchanging security.
Cryptography is one of the best means supplying the confidentiality and control of the information integrity. It occupies the central place among program and engineering safety regulators. It is the basis fulfilling many of them and at the same time it remains the last safety border.
To sum it up it is necessary to point out that some specialists in bank safety connect reliability of bank information systems to facilities of their exterior security, that is to the system of passwords for the input not only in the very computer web, and on different levels of the system information depending on access of the users. A circle of officials who have an access to the wide range of such information when accomplishing the banking activity is very large. Therefore the security system which is based on encoding inputs to different items of the information is ineffective. It is necessary to find out principally new approaches for working out and implementation concerning reliable security systems of banking from computer crimes. Such kind of a system should be arranged in accordance with the technology of bank document circulation and peculiarities of the kinds of pay and credit operations.
1.Pershikov V.I., Savinkov V.M. An Explanatory Dictionary on Information Science. –M.: Fin. and stat., 1991. - 536 p.
2.Regulations on engineering security of information in Ukraine approved by the resolution of Ministry of Ukraine of 1994 ¹ 632 // Collection of the normative documents of the engineering information security system . – The state committee of Ukraine on state secrets and engineering information security, 1997. - ¹ 4. – pp.15-41.
3. Ilnitskiy A.Yu., Shoroshev V.V., Bliznyuk I.L.The Fundamentals of Information Security from Unauthorized Access: method recommendations. - Ê.: NAVSU, 1999. – 160 p.
4.Eremina N.B. Bank Information Systems: Manual. . — Ê: KNEU, 2000. — 220p.
5.Golubev V.O. Computer Crimes in Banking. - Zaporizhzhia: PC «Pavel», 1997. – 118p.
6. Golubev V.O., Gavlovskiy V.D., Tsimbalyuk V.S. The Problems of a Fight against Crimes in the Field of Using Computer Technologies : a manual / Edited by professor of Law Kalyuzhnyi R.A.. - Zaporizhzhia: UH «ZISMG», 2002. - 292 p.
7. Law of Ukraine « About the information security in automated systems » // The Bulletin of Supreme Council of Ukraine. - 1994. - ¹ 31. - Article 286.