Overcoming Data Breaches and Human Factors in Minimizing Threats to Cyber-Security Ecosystems

This mixed-methods study focused on the internal human factors responsible for data breaches that could cause adverse impacts on organizations. Based on the Swiss cheese theory, the study was designed to examine preventative measures that managers could implement to minimize potential data breaches resulting from internal employees\u27 behaviors. The purpose of this study was to provide insight to managers about developing strategies that could prevent data breaches from cyber-threats by focusing on the specific internal human factors responsible for data breaches, the root causes, and the preventive measures that could minimize threats from internal employees. Data were collected from 10 managers and 12 employees from the business sector, and 5 government managers in Ivory Coast, Africa. The mixed methodology focused on the why and who using the phenomenological approach, consisting of a survey, face-to-face interviews using open-ended questions, and a questionnaire to extract the experiences and perceptions of the participants about preventing the adverse consequences from cyber-threats. The results indicated the importance of top managers to be committed to a coordinated, continuous effort throughout the organization to ensure cyber security awareness, training, and compliance of security policies and procedures, as well as implementing and upgrading software designed to detect and prevent data breaches both internally and externally. The findings of this study could contribute to social change by educating managers about preventing data breaches who in turn may implement information accessibility without retribution. Protecting confidential data is a major concern because one data breach could impact many people as well as jeopardize the viability of the entire organization

An Examination of E-Banking Fraud Prevention and Detection in Nigerian Banks

E-banking offers a number of advantages to financial institutions, including convenience in terms of time and money. However, criminal activities in the information age have changed the way banking operations are performed. This has made e-banking an area of interest. The growth of cybercrime – particularly hacking, identity theft, phishing, Trojans, service denial attacks and account takeover– has created several challenges for financial institutions, especially regarding how they protect their assets and prevent their customers from becoming victims of cyber fraud. These criminal activities have remained prevalent due to certain features of cyber, such as the borderless nature of the internet and the continuous growth of the computer networks. Following these identified challenges for financial institutions, this study examines e-banking fraud prevention and detection in the Nigerian banking sector; particularly the current nature, impacts, contributing factors, and prevention and detection mechanisms of e-banking fraud in Nigerian banking institutions. This study adopts mixed research methods with the aid of descriptive and inferential analysis, which comprised exploratory factor analysis (EFA) and confirmatory factor analysis (CFA) for the quantitative data analysis, whilst thematic analysis was used for the qualitative data analysis. The theoretical framework was informed by Routine Activity Theory (RAT) and Fraud Management Lifecycle Theory (FMLT). The findings show that the factors contributing to the increase in e-banking fraud in Nigeria include ineffective banking operations, internal control issues, lack of customer awareness and bank staff training and education, inadequate infrastructure, presence of sophisticated technological tools in the hands of fraudsters, negligence of banks’ customers concerning their e-banking account devices, lack of compliance with the banking rules and regulations, and ineffective legal procedure and law enforcement. In addition, the enforcement of rules and regulations in relation to the prosecution of financial fraudsters has been passive in Nigeria. Moreover, the findings also show that the activities of each stage of fraud management lifecycle theory are interdependent and have a collective and considerable influence on combating e-banking fraud. The results of the findings confirm that routine activity theory is a real-world theoretical framework while applied to e-banking fraud. Also, from the analysis of the findings, this research offers a new model for e-banking fraud prevention and detection within the Nigerian banking sector. This new model confirms that to have perfect prevention and detection of e-banking fraud, there must be a presence of technological mechanisms, fraud monitoring, effective internal controls, customer complaints, whistle-blowing, surveillance mechanisms, staff-customer awareness and education, legal and judicial controls, institutional synergy mechanisms of in the banking systems. Finally, the findings from the analyses of this study have some significant implications; not only for academic researchers or scholars and accounting practitioners, but also for policymakers in the financial institutions and anti-fraud agencies in both the private and public sectors

An investigation into the usability and acceptability of multi-channel authentication to online banking users in Oman

Authentication mechanisms provide the cornerstone for security for many distributed systems, especially for increasingly popular online applications. For decades, widely used, traditional authentication methods included passwords and PINs that are now inadequate to protect online users and organizations from ever more sophisticated attacks. This study proposes an improvement to traditional authentication mechanisms. The solution introduced here includes a one-time-password (OTP) and incorporates the concept of multiple levels and multiple channels – features that are much more successful than traditional authentication mechanisms in protecting users' online accounts from being compromised. This research study reviews and evaluates current authentication classes and mechanisms and proposes an authentication mechanism that uses a variety of techniques, including multiple channels, to resist attacks more effectively than most commonly used mechanisms. Three aspects of the mechanism were evaluated: 1. The security of multi-channel authentication (MCA) was evaluated in theoretical terms, using a widely accepted methodology. 2. The usability was evaluated by carrying out a user study. 3. Finally, the acceptability thereof was evaluated by asking the participants in study (2) specific questions which aligned with the technology acceptance model (TAM). The study’s analysis of the data, gathered from online questionnaires and application log tables, showed that most participants found the MCA mechanism superior to other available authentication mechanisms and clearly supported the proposed MCA mechanism and the benefits that it provides. The research presents guidelines on how to implement the proposed mechanism, provides a detailed analysis of its effectiveness in protecting users' online accounts against specific, commonly deployed attacks, and reports on its usability and acceptability. It represents a significant step forward in the evolution of authentication mechanisms meeting the security needs of online users while maintaining usability

Modeling the Process of Counteracting Fraud in E-banking

Syniavska, O. Modeling the Process of Counteracting Fraud in E-banking /Olga Syniavska, Nadiya Dekhtyar, Olga Deyneka, Tetiana Zhukova, Olena Syniavska // Experimental Economics and Machine Learning for Prediction of Emergent Economy Dynamics : Proceedings of the Selected Papers of the 8th International Conference on Monitoring, Modeling & Management of Emergent Economy (M3E2-EEMLPEED 2019) (Odessa, Ukraine, May 22-24, 2019). – CEUR-WS.org, online, 2019. – Vol. 2422 – P. 100-110.Документ присвячений актуальній проблемі протидії кібератакам у банківському секторі, зокрема у сфері електронного банкінгу. Розглянуто основні види банківських шахрайств, які здійснюються в онлайн-сфері. Автори пропонують математичну модель, яка описує процес протидії шахрайству в електронному банківському секторі. Запропонована модель базується на класичній моделі Лотка-Вольтерра з логістичним зростанням та динамічних моделях Холлінга-Таннера. Також були розраховані та проаналізовані фіксовані точки динамічної системи. На жаль, важко дослідити це питання за реальними даними, оскільки статистика щодо кібератак закрита.The paper is devoted to the current issue of the counteracting cyberattacks in the banking sector, in particular in the field of e-banking. The main types of banking fraud, which are carried out in the online sphere, are considered. The authors propose a mathematical model that describes the process of counteracting e-banking fraud. Proposed model is based on the classic LotkaVolterra model with logistic growth and the Holling-Tanner dynamic models. The fixed points of a dynamic system were calculated and analyzed. It was determined that there are 4 possible types of fixed points: saddle and the line of stable fixed points, which are unlikely may be in real life, stable node and a stable degenerate node, which are, in practice, the most likely cases. The constructed model could be used for theoretical study, different simulation experiments with changing input parameters could be done. Unfortunately, it is difficult to investigate this question on real data, since the statistics on cyberattacks are closed.Документ посвящен актуальной проблеме противодействия кибератакам в банковском секторе, в частности в сфере электронного банкинга. Рассмотрены основные виды банковских мошенничеств, совершаемых в онлайн-сфере. Авторы предлагают математическую модель, которая описывает процесс противодействия мошенничеству в электронном банковском секторе. Предложенная модель базируется на классической модели Лотка-Вольтерра с логистическим ростом и динамических моделях Холлинг-Таннера. Также были рассчитаны и проанализированы фиксированные точки динамической системы. К сожалению, трудно исследовать этот вопрос с реальными данными, поскольку статистика по кибератакам закрыта.References 1. OECD science, technology, and industry scoreboard: Towards a knowledge-based economy. Organisation for Economic Cooperation and Development. http://www.oecd.org/ (2019). Accessed 13 Mar 2019 2. Babenko, V., Syniavska, O.: Analysis of the current state of development of electronic commerce market in Ukraine. Tech. Aud. and Prod. Res. 5(4(43)), 40–45 (2018). doi:10.15587/2312-8372.2018.146341 3. Mia, A., Rahman, M., Uddin, M.: E-Banking: Evolution, Status and Prospects. Cost & Manag. 1(35), 36–48 (2007) 4. Lastdrager, E.: Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science. 3:9 (2014). doi:10.1186/s40163-014-0009-y 5. The Statistical Portal. https://www.statista.com/ (2019). Accessed 13 Mar 2019 6. Jakobsson, M., Myers, S. (ed.) Phishing and countermeasures: understanding the increasing problem of electronic identity theft. John Wiley & Sons, Inc. (2007) 7. J. Shi, S. Saleem.: Phishing: Final Report. https://www2.cs.arizona.edu/~collberg/Teaching/466- 566/2014/Resources/presentations/2012/topic5-final/report.pdf (2012). Accessed 9 Mar 2019 8. Swanink, R.: Persistent effects of manin-the-middle attacks. Bachelor Thesis, Radboud University (2016) 9. Damodaram, R.: Study on phishing attacks and antiphishing tools. IRJET. 3(1), 700–705 (2016) 10. Alsayed, A., Bilgrami, A.: E-banking security: Internet hacking, phishing attacks, analysis and prevention of fraudulent activities. Int. J. Of Emerg. Techn. and Adv. Activ. 7(1), 109– 115 (2017) 11. Delgado, O., Fuster-Sabater, A., Sierra, J.: Analysis of new threats to online banking authentication schemes. In: Proceedings of the X Spanish Meeting on Cryptology and Information Security (RECSI 2008), pp. 337–344 (2008) 12. Hussein, S.: Predator-Prey Modeling. Undergraduate Journal of Mathematical Modeling: One + Two. 3(1), 20 (2010). doi:10.5038/2326-3652.3.1.32 13. Oliinyk, V., Wiebe, I., Syniavska O., Yatsenko, V.: Optimization model of Bass. JAES, 8(62), 2168–2183 (2018) 14. Gupta, R.: Dynamics of a Holling-Tanner Model. AJER. 6(4), 132–140 (2017) 15. Syniavska, O., Dekhtyar, N., Deyneka, O., Zhukova, T., Syniavska, O.: Security of ebanking systems: modelling the process of counteracting e-banking fraud. SHS Web of Conferences. 65, 03004 (2019). doi:10.1051/shsconf/2019650300

Towards a framework to promote the development of secure and usable online information security applications

The proliferation of the internet and associated online activities exposes users to numerous information security (InfoSec) threats. Such online activities attract a variety of online users who include novice computer users with no basic InfoSec awareness knowledge. Information systems that collect and use sensitive and confidential personal information of users need to provide reliable protection mechanisms to safeguard this information. Given the constant user involvement in these systems and the notion of users being the weakest link in the InfoSec chain, technical solutions alone are insufficient. The usability of online InfoSec systems can play an integral role in making sure that users use the applications effectively, thereby improving the overall security of the applications. The development of online InfoSec systems calls for addressing the InfoSec problem as a social problem, and such development must seek to find a balance between technical and social aspects. The research addressed the problem of usable security in online InfoSec applications by using an approach that enabled the consideration of both InfoSec and usability in viewing the system as a socio-technical system with technical and social sub-systems. Therefore, the research proposed a socio-technical framework that promotes the development of usable security for online information systems using online banking as a case study. Using a convergent mixed methods research (MMR) design, the research collected data from online banking users through a survey and obtained the views of online banking developers through unstructured interviews. The findings from the two research methods contributed to the selection of 12 usable security design principles proposed in the sociotechnical information security (STInfoSec) framework. The research contributed to online InfoSec systems theory by developing a validated STInfoSec framework that went through an evaluation process by seven field experts. Although intended for online banking, the framework can be applied to other similar online InfoSec applications, with minimum adaptation. The STInfoSec framework provides checklist items that allow for easy application during the development process. The checklist items can also be used to evaluate existing online banking websites to identify possible usable security problems.Computer ScienceD. Phil. (Computer Science

Implementing Resiliency of Adaptive Multi-Factor Authentication Systems

Multifactor authentication (MFA) is getting increasingly more popular to safeguard systems from unauthorized users access. Adaptive Multi-Factor Authentication (A-MFA) is an enhanced version of MFA that provides a method to allow legitimate users to access a system using different factors that are changing based on different considerations. In other words, authentication factors include passwords, biometrics among others are adaptively selected by the authentication system based on criteria (e.g., whether the user is trying to log in from within system boundary, or whether or not the user is trying to access during organization operating hours). The criteria (i.e. triggering events) that A-MFA uses to select authentication factors adaptively are usually pre-defined and hard-coded in the authentication system itself. In this paper, the graphical user interface application is designed to add more resiliency to the existing Adaptive Multi-Factor Authentication (A-MFA) method by enabling system administrators to rank the triggering criteria based on the users’ roles, system assets, tolerance to risks, etc. The proposed tool allows system administrators to determine when to tighten and soften user access to the system. The tool uses multiple criteria decision making (MCDM) method to allow system admins to access the trustworthiness of user. Based on the trustworthiness of the user, the tool selects the number and complexity of the authentication methods. This tool will help to utilize the systems administrator situational awareness to improve security. This work aims to preserve the AMFA strengths and at the same time give system administrators more flexibility and authority in controlling access to systems

Security awareness by online banking users in Western Australian of phishing attacks

Phishing involves sending e-mails pretending to be from the legitimate financial institutions to recipients and asking for personal information such as username and password. It also redirects network traffic to malicious sites, deny network traffic to web services, and modify protection mechanisms in the targeted computer systems. Consequences of successful attacks can include identity and financial losses, and unauthorised information disclosure. The purpose of this study was to investigate the experiences of Western Australian bank users in using online banking. The study considered the relationship between the background of the Western Australian bank users and their experience in using online banking security. The research analysed phishing through case studies that highlighted some of the experiences of phishing attacks and how to deal with the problems. Emphasis was placed on knowledge of phishing and threats and how they were actually implemented, or may be used, in undermining the security of users’ online banking services. The preferences and perspectives of Western Australian bank users about the deployment of online banking security protection and about future online banking services, in order to safeguard themselves against phishing attacks, are presented. The aim was to assist such Australian bank users through exploring potential solutions and making recommendations arising from this study. Research respondents had positive attitudes towards using online banking. Overall, they were satisfied with the security protection offered by their banks. However, although they believed that they had adequate knowledge of phishing and other online banking threats, their awareness of phishing attacks was not sufficient to protect themselves. Essentially, the respondents who had experienced a phishing attack believed it was due to weak security offered by their banks, rather than understanding that they needed more knowledge about security protection of their personal computers. Further education is required if users are to become fully aware of the need for security within their personal online banking

Host card emulation with tokenisation: Security risk assessments

Host Card Emulation (HCE) é uma arquitetura que possibilita a representação virtual (emulação) de cartões contactless, permitindo a realização de transações através dispositivos móveis com capacidade de realizar comunicações via Near-Field Communication (NFC), sem a necessidade de utilização de um microprocessador chip, Secure Element (SE), utilizado em pagamentos NFC anteriores ao HCE. No HCE, a emulação do cartão é efetuada essencialmente através de software, geralmente em aplicações do tipo wallet. No modelo de HCE com Tokenização (HCEt), que ´e o modelo HCE específico analisado nesta dissertação, a aplicação armazena tokens de pagamento, que são chaves criptográficas derivadas das chaves do cartão original, críticas, por permitirem a execução de transações, ainda que, com limitações na sua utilização. No entanto, com a migração de um ambiente resistente a violações (SE) para um ambiente não controlado (uma aplicação num dispositivo móvel), há vários riscos que devem ser avaliados adequadamente para que seja possível materializar uma implementação baseada no risco. O presente estudo descreve o modelo de HCE com Tokenização (HCEt) e identifica e avalia os seus riscos, analisando o modelo do ponto de vista de uma aplicação wallet num dispositivo móvel, que armazena tokens de pagamento para poder realizar transações contactless