- Email: [email protected]
Audit and security implications of electronic funds transfer
17
Audit and Security Implications Electronic Funds Transfer A. Kinnon Department
of
and R.H. Davis Computer
Scienw.
1. What is EFT
Heriot- Watt Unruer.sit~~,Edin-
burgh. Scotlund
The problems created by the facilities of Electronic Funds Transfer are considered in relation to the role of auditors seeking to ensure that correct and secure operations occur when a computer takes over major record processing activities within an organisation. l&words:
Electronic
funds transfer,
audit, security.
Andrew Kinnon received
his early education in Liverpool. He gained an Honours BA degree in Accountancy and Computer Science at Heriot-Watt University in 1985 and has received two University Prizes. He is due to serve with a leading accountancy practice in the City of Edinburgh.
Robert Davis received
the degree of B.Sc. and Ph.D. from the Queens University Belfast before working as a systems analyst with Rio Tinto Zinc’s leading UK subsidiary at Avonmouth Bristol. Since taking up a lecturing appomtment at Heriot-Watt University, he has been the author of a number of computer science articles in scientific journals. He coordinates the M. SC. course on Knowledge Based Systems within the Department of Computer Science.
North-Holland Computers & Security 0767-4048/86/$3.50
of
6 (1986) 17-23 0 1986, Elsevier Science Publishers
Electronic Funds Transfer (EFT) is far more than Automatic Teller Machines (ATMs) which we all find so convenient and impersonal; EFT includes counter terminals at which clerks type in your account number and amount being withdrawn or deposited. This trouble-free path is smoothed by automated systems with machines that read and sort cheques coded with magnetic ink at a rate of 35 per second. The process speed is limited by some necessary manual checking of the signature, date, amount and the magnetic coding itself. As yet, computer systems to do these tasks as reliably as the human eye and brain are not sufficiently developed. The Bankers’ Automated Clearing Services (BACS) is a centralised British system for dealing with automatic credits, standing orders, direct debits etc. All transactions of this type for a bank, or other companies sponsored by a bank, are put on magnetic tape, disk or cassette detailing the amount and affected accounts. With advances in data communication, the data can be transmitted in secure form direct to the processing centre. This has an equalising effect in service efficiency for users not based near the centre and allows instant confirmation of acceptance, or indication of rejection. Transactions can be transmitted to BACS when processing of the data at source is completed, with instructions to carry out the transfers at a specified date up to five days in the future. Processed transactions are delivered direct to the destination banks for updating of accounts. This method is much cheaper per transaction than the equivalent paper system and the payer and payee accounts are affected simultaneously. Money is available in the payee accounts by 9.30 A.M. three days after processing of the data. The Clearing House Automatic Payment System (CHAPS) is a new development (CHAPS II was first fully on-line in February 1984), based on the New York system called CHIPS. It replaces the London Town Clearing system, allowing trans-
B.V. (North-Holland)
18
A. Kinnon, R. H. Dovrs / Audrt and Security Implicutions
actions valued over &lO,OOO to be carried out instantaneously by the 12 clearing banks and the Bank of England, replacing the use of couriers and bankers’ drafts. In the latest system all the member banks have a ‘gateway computer’ linked into the British Telecom packet switched network which is a cheap, high speed communication system. The computers use very sophisticated encryption, tamper and inspection-proof hardware and a dual key authorisation system. Once a transaction is confirmed by the receiving gateway the settlement (sending), bank must provide the funds by the end of the day, although it may subsequently be discovered that the transaction was fraudulently initiated. This system also allows remote branches to request high denomination direct transfer of funds, which was not practicable before the introduction of the electronic system. The expense of this system is not warranted for normal ATM operations. SWIFT (Society for the Worldwide Interbank of Financial Telecommunication) is effectively CHAPS on an international basis using a different system. It was established in 1973 by 239 banks in 15 countries with packet switched network bases in three operating centres. Now there are 1200 members in 50 countries and a decentralised system (SWIFT II) will take over progressively from this year to about 1987. Very high multiple level security is implemented to protect very high denomination transactions. EFT is no longer the sole preserve of the banks. Building societies have ATMs, counter terminals, computer controlled updating of passbooks and produce tapes for BACS in many cases. The British Post Office has been considering the introduction of counter terminals for some time and large companies put wages and other transactions on tapes for BACS. Smaller companies are expected to take increasing advantage of BACS with the growing use of microcomputers capable of performing the necessary pre-processing and telephone modems. Future expansions which were expected to be widespread by now are: 1. Home-banking, which is barely off the ground since it is expensive for the banks to provide, creates security problems and has very little demand at present. The Bank of Scotland in conjunction with the Nottingham Building Society has introduced ‘Homelink’ which uses a Prestel-type arrangement with British Telecom. It has ten levels of security which must be completed before any
of Electronrc Fund.7 Tram&~
information can be released or transactions initiated. 2. Point-of-sale terminals (EFTPoS) have been tried out mainly in France. Banks and stores are reluctant to invest in EFTPoS because anticipated public acceptance is thought to be indifferent at best. This is mainly due to loss of float on cheques and credit cards. Also the shops would have to pay for the terminals and would prefer a single universal system for all ATM and credit cards which is, at present, not practicable. 3. A variation on EFTPoS is ‘Smart Cards’ which have a microprocessor, memory and power supply incorporated in the card so that the card stores the necessary information to allow a transaction to take place. In this way the terminal would not require a permanent communication link with the bank computer. The card would have to be linked to the bank’s computer periodically for updating of the computer record, and the card, for security reasons, would probably have a non-erasable memory and would have to be replaced when it became “full.” These have also been on test in France, but the cost at present is thought to be prohibitive. 4. Another possibility is automatic cheque guarantee facilities to combat losses in this area which at present far exceed those from ATM theft. Direct confirmation of a cards validity with a bank’s computer would act as a massive deterrent to fraud and forgery. 5. Cheque truncation is widespread in Sweden, Denmark and Belgium. When a cheque is deposited it is handled at the branch where the deposit is made. The details only need to be transmitted to the settlement bank to allow the cheque to be cleared. Problems to be overcome include: a. Agreement between the clearing banks to link their central computer systems, with all the implied loss of security and confidentially. The Data Protection Act may present a barrier. b. Legal problems concerning the cheque as a “bill of exchange” which must be presented to the payer banker. There is a loophole which would allow the banks to insert a clause in their cheque account agreement with the customer where the customer waives this condition. c. For efficiency the cheque must be read automatically and the signature needs confirmation but with 8 million cheques currently clearing the British system every day, how many sig-
A. K~nnon, R. H. Daois / Audit and Securrty Implicarrons of Electronic Funds Transfer
natures are checked carefully at present? Manual checking of signatures is too expensive in relation to the savings from fraud reduction for it to be justified, and until reliable computerised signature verifying systems are developed this will continue to be the case.
2. Auditing of Banks In general banks are audited by large audit firms who can provide a large, experienced audit team. They require special security clearance and a degree of specialised knowledge. The audit must take into account the legal requirements peculiar to banks such as the ratio of the asset base to the amount of credit allowable, as a buffer against borrowers defaulting. The external auditor must assure himself that the information emanating from the EFT system is reliable within his materiality limits. He is not concerned about ‘minor’ matters such as the theft of 00 by unauthorised use of an ATM access card, provided reasonable steps have been and are being taken to limit such action and that the loss is dealt with correctly by the system. Auditing of a bank does not stop with EFT systems which are literally automatic ‘ transfers of funds’ without the movement of vast quantities of paper. The transfer may, however, be a part or parts of a very complex trading situation involving lending to or borrowing from other banks or customers big and small, buying and selling stocks or currencies around the world, and providing improved cheque, cash and credit services to domestic customers. Banks produce financial statements and the external auditor’s aim is still to provide verification of those statements. Frauds perpetrated, rather than suffered, by banks are not unknown and shareholders have the same right to professional assurance that what they are reading is a fair reflection of the real state of affairs. The controls in a bank are very strong and the resources available for preventive measures are greater than in most non-financial institutions. In the area of EFT this is emphasised by the presence of specialist internal audit staff who test the systems continuously. If the external auditor is able to convince himself that the work of the internal auditor is competent and reliable then the testing by the external autidor may be redued. The inter-
19
nal auditor has the advantage of a far more detailed knowledge of the computer system than the external auditor. The conclusion that external auditors do not discover many frauds in bank systems is based on the low level of reported bank frauds. This suggests that: 1. very few bank frauds occur, which is unlikely if American reports and fears are anything to go by; or 2. the fraude that do occur are not discovered, again doubtful in view of the sophistication of detection and control systems; or 3. they are discovered by people who report internally so that disclosure is limited to personnel of the victim bank to prevent embarrassment. Frauds will generally be discovered by internal check or internal audit, or are prevented by more and more complex controls -manual, mechanical and programmed. Since internal audit of the EFT system will be more extensive than that carried out by the external auditor, the duties of the internal auditor and the problems he has to face will be considered.
3. Computer Characteristics
in EFT Systems
The main difference in EFT computer systems is one of scale. In most cases the very largest (not necessarily the fastest) modern mainframe computers represent the core of the system for each major clearing bank. A massive on-line rapid data storage and retrieval facility with complex and secure access control database management systems (DBMS) is a necessary facility, with a correspondingly massive back-up data library with records referring back decades rather than years. In some functions there is a complete removal of paper controls prior to input of information, most notably ATM transactions. To replace this the entire procedural process is recorded on magnetic media so that the correct functioning of the process can be verified for any transaction in the event of a query. Modern computers have diagnostic facilities which warn operators of substandard operation and imminent failure of components or pinpoint a fault when it occurs. This helps reliability, but in banking, where computer down-time is literally
20
A. Kinnon, R.H. Davis / Audit and Securrty Implications
money lost, further precautions are required. Overspecification of facilities is commonplace, allowing the workload of any major component to be passed along an alternative route capable of comfortably handling the extra tasks indefinitely if that component fails. Unless identical units, each backing-up the other, fail together, the system will continue working under multiple different component failures. Maintenance is thorough, and complete system failure by chance is almost inconceivable. This does not stop contingency plans being available in case such a situation does arise. Duplication extends to networks since they are probably the most vulnerable part of the system. All repairs are carried out as soon as possible after detection, or alternative back-up facilities provided to prevent complete failure. Duplication of data is more tricky.Duplicate databases exist, but there is a problem of consistency. Transaction files are maintained and frequent copies made of data so that recovery is possible. Complete loss of any records could be very costly and would certainly be damaging to the bank’s reputation and the reliability image of EFT as a whole. The audit trail of a bank system is necessarily comprehensive, but the task is made easier by the fact that there is very little compression of data in a bank’s processing functions.
4. Internal Audit of EFTS The aim of internal audit is mainly the prevention of fraud. To achieve this the auditor must retain an element of surprise. If an investigation is predictable its effect is vastly reduced as defensive measures can be taken by anyone perpetrating a fraud. The fact that a section has just been checked should not rule out its selection for immediate re-checking, for example. The audit team or part of it may appear at any time, without warning, with full authority to obtain and inspect any information it requires to check for correct operation of the control systems. This will include live data, and procedures must ensure that no rules of confidentiality, incumbent on the bank, are broken. Audit procedures are limited to those who inspect, rather than create, data in the computer.
of Electronic Funds Transfer
Consequently, test-decks to check for accuracy of processing are not allowed. Processing checks are limited to checking on real transactions from extensive transaction files and verifying that they were processed correctly either manually or, more likely, with the aid of another computer. The power of bank computers means that they include comprehensive activity logging systems. Such systems and their output information must be tamper-proof if they are to be effective. The output must be comprehensively checked to ensure that, for example, a certain terminal was not accessed by a member of staff (indicated by his or her login name and password) not normally allowed use of that terminal, or when that member of staff was not recorded as present in the building according to other controls. Many such cases can be prevented by programmed controls, but the log should register all illegal attempts and alert security staff so that investigations can be instigated. Controls such as auto-logoff facilities can reduce access due to human error and additional password security for file access may be appropriate in highly sensitive applications of banking work. Activity logs will also indicate what programs were run, who they were initiated by, give details of the duration of the run and what data was used. A skilled inspector should be able to spot unusual programs which might indicate illegal activity. Creation of new programs should be fully authorised and activity using operating system facilities will probably be unusual in an environment where most work takes place within approved programs for the entry and processing of data. It should not be possible to process a transaction without creating a full audit trail. All account credits and debits should have a full history of their source, authorisation, etc. A credit must have come from another account via a cheque, direct debit or standing order, or from an interest payment by the bank, etc. Debits must be equally verifiable since they may be half of an illicit transfer which will later result in a complaint from the owner of that account if a transfer was made without authorisation. The real danger is from diversion of a payment from its true destination to the criminal’s account. Authorisation may exist for a transfer and the recipient may not be expecting the transfer or may not know exactly when it should have arrived, in order to query the fault.
A. K~nnon, R.H. Davis / Audrt and Secunry
5. Access to the Computer This is much more of a problem for banks compared with most commercially installed computer systems. The nature of EFT is that communication exists with the outside world including the general public. In normal applications the computer is a self-contained unit with controls on access strictly enforceable. All a bank can do to control its customers is to given them advice concerning the safekeeping of access cards and nondisclosure of PINS. The losses incurred through unauthorised access are limited to &50, by law, for the customers, with certain exceptions, but the bank safeguards rely on daily or weekly withdrawal limits. Shared networks, e.g. Midland and NatWest, have greater security problems due to a further degree of complexity in routing the information. Some ATM networks are also vulnerable because they are not on-line to the central computer for each transaction, but rely on local processing which may allow excessive withdrawals from a number of different machines. Home-banking allows an even greater scope for access since a telephone number is available and hackers can ring up with their modems to attempt illegal access. No special wire-tapping skills are required as would be the case with ATM lines although built-in systems and program security are available to thwart the hacker.
6. Auditing of Communication
Networks
The objectives of such a network audit should be to confirm for audit purposes and management that: 1. data is complete, accurate and not duplicated 2. data confidentiality is maintained 3. the network is adequate for the needs of the banks and available at all times. The approach is similar to the audit of the rest of a system: 1. fully document all networks 2. identify all the components 3. evaluate the controls and the significance of the components. The suggested approach is to consider each communications application as a combination of identifiable subsystems so that common facilities
Implications
of Electronic
Funds Transfer
21
need only be assessed once. The way the subsystems combine in each case must be examined as well. In a bank, the communication systems consist of three distinct sections: 1. the remote facility, e.g. ATM, EFTPoS terminal, home-banking terminal 2. the communications medium owned by British Telecom 3. the central computer system including ‘front end processors’. A boundary between two parts is the point at which control is relinquished by one to another. Ownership of a modem will determine which side the logical interface is, if division takes place at a modem. The key to the control of networks is remembering that the communication medium itself, whether an ordinary telephone line, leased line, microwave or satellite link, is completely insecure. British Telecom, for example, retain the right to listen to all transmissions on their line; technicians can determine the source and destination of any traffic and information can be monitored, stored and displayed in a readable format, without the clutter of protocol, quite freely. The ‘front end processing’ will probably include handling of queues of messages and the auditor should investigate how this is implemented with respect to the objectives of network audits. Queues involve stores of messages which must be secure and reliable; its operation must ensure that the messages reach the correct destination and not more than once. Some queueing systems will discard messages with incorrect addresses, e.g. IBM’s TCAM; you may wish them to be stored for analysis and recovery. When an application program receives its message or retrieves it from a queue, no assumptions should be made by the program concerning its source and authenticity. Programmed controls should be in place to allow a message to prove its authenticity. Techniques available include: a. Authentication codes - encrypted code derived from the body of the message by the sender using a key known only to the sender and destination. This leaves the message in the clear, but effectively confirms the source by the use of the correct code and catches errors and alterations introduced during transmission. Its advantage over full encryption is that the intended
22
A. Kinnon, R.H. Davis / Audit and Security Implrcaiions
action of an imposter, detected because the code is wrong, can be read in the clear rather than being indecipherable itself. b. Encryption - encoding through a certified algorithm, e.g. public key or RSA cryptosystems allow secure transmission and effective identification of the source. A method must be used to identify the source so that the correct key is used to decrypt at the destination. All encryption techniques require ‘key management’ controls to maintain security. If the key for decryption is known there is little point in encryption since in most cases the encryption/decryption algorithm is common knowledge. Comlex protocol - linked with the above it makes interception and/or imitation more difficult. Techniques available can allow the destination to tell the source which key to use for its encryption so that it changes for each transmission.
Staff Characteristics Staff should all have been vetted and carefully selected for the appropriate level of skill necessary to perform the task after training. Too much expertise may lay the system open to attack. Trust cannot realistically be given to individuals, everyone should have someone else looking over their shoulders. In a banking environment, team conspiracy should be necessary to defraud the bank, or alternatively a very high level of seniority. During 24 hour operations, full staff manning must be maintained with no reduction for nightshifts when the workload is just as high, if not higher, than during the day. Meal-breaks should be strictly controlled. If procedural rules are broken by staff the consequences could be serious and the penalties should provide a deterrent. Frequent practice of the routines necessary to bring back-up systems on-line is essential, in order to allow a smooth transition and minimal disruption to the services provided by the bank. Dual-key transactions require an accurate computer operator who enters a transaction into, say, a CHAPS terminal and a supervisor who checks the details against a second copy of authorised transactions at his own terminal. The supervisor then signals the computer to commence transmission which finalises the transfer by entry of a password not known to the first operator.
of Electronic
Funds Transfer
8. Conclusion The aim of EFT security is to develop measures sophisticated enough to prevent any invasion of a bank’s financial and communication systems, no matter how ingenious the attacker or how well equipped he may be, while allowing swift, convenient, specifically limited access to those authorised and correctly equipped to do so. Unfortunately the latter is mainly the general public which includes those who will ignore advice, however much it may be in their interest to heed it, and will allow themselves and the bank to suffer losses in the process. Security techniques take years to develop, in some cases, so it is likely that the criminals will stay a jump ahead indefinitely, unless the security experts identify weaknesses in the following areas. External
threats
The loopholes available to outside attack may be reduced further with the substitution of PINS with other methods of confirming an individual’s identity. Fingerprints are the source of investigation and it is technically possible to store information describing such a complex entity on an ATM access card itself, using laser technology. Voice prints are probably more suitable, but the technology is not at a sufficiently reliable stage and sound recording techniques of an equally imprecise nature may make it unsuitable as soon as it is developed. Internal
Threats
Internal attack is rapidly becoming more and more dangerous for the attacker unless he is at such a level of responsibility that he can dismantle controls or can succeed through some other breach of trust. Remuneration of such staff tends to discourage such action and controls still exist even at the highest levels. Control will probably never be perfect so vigilance by trained staff is necessary to reduce losses to a minimum even if they cannot be eliminated. Communications There is no indication of the level of communication and cooperation between financial institutions concerning the problems and types of frauds
A. Kinnon, R. H. Davis / Audif and Security Implications
they have encountered. It is to be hoped that there is a high level of co-ordination in the fight to defeat the computer criminal. Frauds should not be repeatable around the world and resources should not be wasted by repetition of work in development of security techniques. Controls All controls, in the final analysis, rely on human action, either directly or indirectly, and a criminally inclined person who finds an error will take advantage of it rather than reporting it. Controls also have a cost. More complex and effective controls are generally more expensive, so decisions have to be made, perhaps years before a control is developed from a basic idea whether it is worth using at all. Some losses thus become accepted as a professional hazard.
Acknowledgement Our thanks to Mr. Colin Richardson of the Bank of Scotland who answered our questions as far possible and obtained the article by K.R. Lindup which had been difficult to find.
References [l] E. Woolf:
Auditing Today, 2nd Edition. Prentice-Hall, 1982. [2] M.J. Pratt: Auditing, 2nd Edition. Longman, 1983. [3] A.J. Thomas and I.J. Douglas: Audit of Computer Systems, NCC, 1981.
of Electronic
Funds Transfer
23
[4] D.L. Cornick: Auditing in the Electronic Environment Theory, Practice and Literature. Lomond, 1981. [5] D. Hopton: Electronic Funds Transfer Systems The Issues and Implications, University of Wales Press, 1979. [6] M.Cole: Tips and Tricks from Toronto. Accountancy, October 1984, p. 68. [7] R. Dewey: Systems Auditability and Control in an EFTS Environment. AFIPS Conference Proceedings, Vol. 47 (1978) pp. 185-88. [8] C.R. Franz and S.A. Asbill: Liability Implications in Electronic Funds Transfers. Information & Management, Vol. 5, No. 2 (June 1982) pp. 87-93. [91 J.S. Hastie: The key to Resolving EFT Security Problems: The Human Problem. Proceedings of the 1984 Carnahan Conference on Security Technology, pp. 153-7. [toI K.R. Lindup: Auditing a Financial Institution Network. IIA-UK (March 1984). Pll K.R. Lindup: Auditor’s Key Role in Strengthening Network Defences. Accountancy (October 1984) p. 76. 1121D.B. Parker: Vulnerabilities of EFTS to internationally Caused Losses. Communications of the ACM, Vol. 22 No. 12 (Dee 1979) pp. 654-60. Organising the EDP Security Function. u31 E.H. Perley: Edpacs, Vol. 8, No. 10 (April 1981). Computer Security - What is the Auditor’s P41 J. Pritchard: Role? Accountancy (November 1978) p. 81. WI M. Samociuk: How Team Effort Can Outwit the Computer Raider. Accountancy (October 1984) p. 71. 1161M.B. Schwartz: Safeguarding EFTS. Datamation, Vol. 29 No. 2 (Feb 1983) pp. 148-60. ]171 J. Vacca: Money on the Move: Electronic Funds Transfer. Computerworld (USA) Vol. 18, Part 18a, pp. 83-7. [la1 Audit Commission: Computer Fraud Survey (28th March 1985), published by HMSO. Fraud: is there Cause 1191 R. Adair and S. Jewell: Computer for Concern? Public Finance and Accountancy (April 1985) (cipfa magazine) pp. 27-9. Input Frauds Still Predominant. ibid., pp. 1201 C. Hurford: 29-30. & Management Vol. 4 No. 1 (March 1981), [211 Information Special Issue - Managing and Controlling EDP in the 80’s.
Audit and Security Implications Electronic Funds Transfer A. Kinnon Department
of
and R.H. Davis Computer
Scienw.
1. What is EFT
Heriot- Watt Unruer.sit~~,Edin-
burgh. Scotlund
The problems created by the facilities of Electronic Funds Transfer are considered in relation to the role of auditors seeking to ensure that correct and secure operations occur when a computer takes over major record processing activities within an organisation. l&words:
Electronic
funds transfer,
audit, security.
Andrew Kinnon received
his early education in Liverpool. He gained an Honours BA degree in Accountancy and Computer Science at Heriot-Watt University in 1985 and has received two University Prizes. He is due to serve with a leading accountancy practice in the City of Edinburgh.
Robert Davis received
the degree of B.Sc. and Ph.D. from the Queens University Belfast before working as a systems analyst with Rio Tinto Zinc’s leading UK subsidiary at Avonmouth Bristol. Since taking up a lecturing appomtment at Heriot-Watt University, he has been the author of a number of computer science articles in scientific journals. He coordinates the M. SC. course on Knowledge Based Systems within the Department of Computer Science.
North-Holland Computers & Security 0767-4048/86/$3.50
of
6 (1986) 17-23 0 1986, Elsevier Science Publishers
Electronic Funds Transfer (EFT) is far more than Automatic Teller Machines (ATMs) which we all find so convenient and impersonal; EFT includes counter terminals at which clerks type in your account number and amount being withdrawn or deposited. This trouble-free path is smoothed by automated systems with machines that read and sort cheques coded with magnetic ink at a rate of 35 per second. The process speed is limited by some necessary manual checking of the signature, date, amount and the magnetic coding itself. As yet, computer systems to do these tasks as reliably as the human eye and brain are not sufficiently developed. The Bankers’ Automated Clearing Services (BACS) is a centralised British system for dealing with automatic credits, standing orders, direct debits etc. All transactions of this type for a bank, or other companies sponsored by a bank, are put on magnetic tape, disk or cassette detailing the amount and affected accounts. With advances in data communication, the data can be transmitted in secure form direct to the processing centre. This has an equalising effect in service efficiency for users not based near the centre and allows instant confirmation of acceptance, or indication of rejection. Transactions can be transmitted to BACS when processing of the data at source is completed, with instructions to carry out the transfers at a specified date up to five days in the future. Processed transactions are delivered direct to the destination banks for updating of accounts. This method is much cheaper per transaction than the equivalent paper system and the payer and payee accounts are affected simultaneously. Money is available in the payee accounts by 9.30 A.M. three days after processing of the data. The Clearing House Automatic Payment System (CHAPS) is a new development (CHAPS II was first fully on-line in February 1984), based on the New York system called CHIPS. It replaces the London Town Clearing system, allowing trans-
B.V. (North-Holland)
18
A. Kinnon, R. H. Dovrs / Audrt and Security Implicutions
actions valued over &lO,OOO to be carried out instantaneously by the 12 clearing banks and the Bank of England, replacing the use of couriers and bankers’ drafts. In the latest system all the member banks have a ‘gateway computer’ linked into the British Telecom packet switched network which is a cheap, high speed communication system. The computers use very sophisticated encryption, tamper and inspection-proof hardware and a dual key authorisation system. Once a transaction is confirmed by the receiving gateway the settlement (sending), bank must provide the funds by the end of the day, although it may subsequently be discovered that the transaction was fraudulently initiated. This system also allows remote branches to request high denomination direct transfer of funds, which was not practicable before the introduction of the electronic system. The expense of this system is not warranted for normal ATM operations. SWIFT (Society for the Worldwide Interbank of Financial Telecommunication) is effectively CHAPS on an international basis using a different system. It was established in 1973 by 239 banks in 15 countries with packet switched network bases in three operating centres. Now there are 1200 members in 50 countries and a decentralised system (SWIFT II) will take over progressively from this year to about 1987. Very high multiple level security is implemented to protect very high denomination transactions. EFT is no longer the sole preserve of the banks. Building societies have ATMs, counter terminals, computer controlled updating of passbooks and produce tapes for BACS in many cases. The British Post Office has been considering the introduction of counter terminals for some time and large companies put wages and other transactions on tapes for BACS. Smaller companies are expected to take increasing advantage of BACS with the growing use of microcomputers capable of performing the necessary pre-processing and telephone modems. Future expansions which were expected to be widespread by now are: 1. Home-banking, which is barely off the ground since it is expensive for the banks to provide, creates security problems and has very little demand at present. The Bank of Scotland in conjunction with the Nottingham Building Society has introduced ‘Homelink’ which uses a Prestel-type arrangement with British Telecom. It has ten levels of security which must be completed before any
of Electronrc Fund.7 Tram&~
information can be released or transactions initiated. 2. Point-of-sale terminals (EFTPoS) have been tried out mainly in France. Banks and stores are reluctant to invest in EFTPoS because anticipated public acceptance is thought to be indifferent at best. This is mainly due to loss of float on cheques and credit cards. Also the shops would have to pay for the terminals and would prefer a single universal system for all ATM and credit cards which is, at present, not practicable. 3. A variation on EFTPoS is ‘Smart Cards’ which have a microprocessor, memory and power supply incorporated in the card so that the card stores the necessary information to allow a transaction to take place. In this way the terminal would not require a permanent communication link with the bank computer. The card would have to be linked to the bank’s computer periodically for updating of the computer record, and the card, for security reasons, would probably have a non-erasable memory and would have to be replaced when it became “full.” These have also been on test in France, but the cost at present is thought to be prohibitive. 4. Another possibility is automatic cheque guarantee facilities to combat losses in this area which at present far exceed those from ATM theft. Direct confirmation of a cards validity with a bank’s computer would act as a massive deterrent to fraud and forgery. 5. Cheque truncation is widespread in Sweden, Denmark and Belgium. When a cheque is deposited it is handled at the branch where the deposit is made. The details only need to be transmitted to the settlement bank to allow the cheque to be cleared. Problems to be overcome include: a. Agreement between the clearing banks to link their central computer systems, with all the implied loss of security and confidentially. The Data Protection Act may present a barrier. b. Legal problems concerning the cheque as a “bill of exchange” which must be presented to the payer banker. There is a loophole which would allow the banks to insert a clause in their cheque account agreement with the customer where the customer waives this condition. c. For efficiency the cheque must be read automatically and the signature needs confirmation but with 8 million cheques currently clearing the British system every day, how many sig-
A. K~nnon, R. H. Daois / Audit and Securrty Implicarrons of Electronic Funds Transfer
natures are checked carefully at present? Manual checking of signatures is too expensive in relation to the savings from fraud reduction for it to be justified, and until reliable computerised signature verifying systems are developed this will continue to be the case.
2. Auditing of Banks In general banks are audited by large audit firms who can provide a large, experienced audit team. They require special security clearance and a degree of specialised knowledge. The audit must take into account the legal requirements peculiar to banks such as the ratio of the asset base to the amount of credit allowable, as a buffer against borrowers defaulting. The external auditor must assure himself that the information emanating from the EFT system is reliable within his materiality limits. He is not concerned about ‘minor’ matters such as the theft of 00 by unauthorised use of an ATM access card, provided reasonable steps have been and are being taken to limit such action and that the loss is dealt with correctly by the system. Auditing of a bank does not stop with EFT systems which are literally automatic ‘ transfers of funds’ without the movement of vast quantities of paper. The transfer may, however, be a part or parts of a very complex trading situation involving lending to or borrowing from other banks or customers big and small, buying and selling stocks or currencies around the world, and providing improved cheque, cash and credit services to domestic customers. Banks produce financial statements and the external auditor’s aim is still to provide verification of those statements. Frauds perpetrated, rather than suffered, by banks are not unknown and shareholders have the same right to professional assurance that what they are reading is a fair reflection of the real state of affairs. The controls in a bank are very strong and the resources available for preventive measures are greater than in most non-financial institutions. In the area of EFT this is emphasised by the presence of specialist internal audit staff who test the systems continuously. If the external auditor is able to convince himself that the work of the internal auditor is competent and reliable then the testing by the external autidor may be redued. The inter-
19
nal auditor has the advantage of a far more detailed knowledge of the computer system than the external auditor. The conclusion that external auditors do not discover many frauds in bank systems is based on the low level of reported bank frauds. This suggests that: 1. very few bank frauds occur, which is unlikely if American reports and fears are anything to go by; or 2. the fraude that do occur are not discovered, again doubtful in view of the sophistication of detection and control systems; or 3. they are discovered by people who report internally so that disclosure is limited to personnel of the victim bank to prevent embarrassment. Frauds will generally be discovered by internal check or internal audit, or are prevented by more and more complex controls -manual, mechanical and programmed. Since internal audit of the EFT system will be more extensive than that carried out by the external auditor, the duties of the internal auditor and the problems he has to face will be considered.
3. Computer Characteristics
in EFT Systems
The main difference in EFT computer systems is one of scale. In most cases the very largest (not necessarily the fastest) modern mainframe computers represent the core of the system for each major clearing bank. A massive on-line rapid data storage and retrieval facility with complex and secure access control database management systems (DBMS) is a necessary facility, with a correspondingly massive back-up data library with records referring back decades rather than years. In some functions there is a complete removal of paper controls prior to input of information, most notably ATM transactions. To replace this the entire procedural process is recorded on magnetic media so that the correct functioning of the process can be verified for any transaction in the event of a query. Modern computers have diagnostic facilities which warn operators of substandard operation and imminent failure of components or pinpoint a fault when it occurs. This helps reliability, but in banking, where computer down-time is literally
20
A. Kinnon, R.H. Davis / Audit and Securrty Implications
money lost, further precautions are required. Overspecification of facilities is commonplace, allowing the workload of any major component to be passed along an alternative route capable of comfortably handling the extra tasks indefinitely if that component fails. Unless identical units, each backing-up the other, fail together, the system will continue working under multiple different component failures. Maintenance is thorough, and complete system failure by chance is almost inconceivable. This does not stop contingency plans being available in case such a situation does arise. Duplication extends to networks since they are probably the most vulnerable part of the system. All repairs are carried out as soon as possible after detection, or alternative back-up facilities provided to prevent complete failure. Duplication of data is more tricky.Duplicate databases exist, but there is a problem of consistency. Transaction files are maintained and frequent copies made of data so that recovery is possible. Complete loss of any records could be very costly and would certainly be damaging to the bank’s reputation and the reliability image of EFT as a whole. The audit trail of a bank system is necessarily comprehensive, but the task is made easier by the fact that there is very little compression of data in a bank’s processing functions.
4. Internal Audit of EFTS The aim of internal audit is mainly the prevention of fraud. To achieve this the auditor must retain an element of surprise. If an investigation is predictable its effect is vastly reduced as defensive measures can be taken by anyone perpetrating a fraud. The fact that a section has just been checked should not rule out its selection for immediate re-checking, for example. The audit team or part of it may appear at any time, without warning, with full authority to obtain and inspect any information it requires to check for correct operation of the control systems. This will include live data, and procedures must ensure that no rules of confidentiality, incumbent on the bank, are broken. Audit procedures are limited to those who inspect, rather than create, data in the computer.
of Electronic Funds Transfer
Consequently, test-decks to check for accuracy of processing are not allowed. Processing checks are limited to checking on real transactions from extensive transaction files and verifying that they were processed correctly either manually or, more likely, with the aid of another computer. The power of bank computers means that they include comprehensive activity logging systems. Such systems and their output information must be tamper-proof if they are to be effective. The output must be comprehensively checked to ensure that, for example, a certain terminal was not accessed by a member of staff (indicated by his or her login name and password) not normally allowed use of that terminal, or when that member of staff was not recorded as present in the building according to other controls. Many such cases can be prevented by programmed controls, but the log should register all illegal attempts and alert security staff so that investigations can be instigated. Controls such as auto-logoff facilities can reduce access due to human error and additional password security for file access may be appropriate in highly sensitive applications of banking work. Activity logs will also indicate what programs were run, who they were initiated by, give details of the duration of the run and what data was used. A skilled inspector should be able to spot unusual programs which might indicate illegal activity. Creation of new programs should be fully authorised and activity using operating system facilities will probably be unusual in an environment where most work takes place within approved programs for the entry and processing of data. It should not be possible to process a transaction without creating a full audit trail. All account credits and debits should have a full history of their source, authorisation, etc. A credit must have come from another account via a cheque, direct debit or standing order, or from an interest payment by the bank, etc. Debits must be equally verifiable since they may be half of an illicit transfer which will later result in a complaint from the owner of that account if a transfer was made without authorisation. The real danger is from diversion of a payment from its true destination to the criminal’s account. Authorisation may exist for a transfer and the recipient may not be expecting the transfer or may not know exactly when it should have arrived, in order to query the fault.
A. K~nnon, R.H. Davis / Audrt and Secunry
5. Access to the Computer This is much more of a problem for banks compared with most commercially installed computer systems. The nature of EFT is that communication exists with the outside world including the general public. In normal applications the computer is a self-contained unit with controls on access strictly enforceable. All a bank can do to control its customers is to given them advice concerning the safekeeping of access cards and nondisclosure of PINS. The losses incurred through unauthorised access are limited to &50, by law, for the customers, with certain exceptions, but the bank safeguards rely on daily or weekly withdrawal limits. Shared networks, e.g. Midland and NatWest, have greater security problems due to a further degree of complexity in routing the information. Some ATM networks are also vulnerable because they are not on-line to the central computer for each transaction, but rely on local processing which may allow excessive withdrawals from a number of different machines. Home-banking allows an even greater scope for access since a telephone number is available and hackers can ring up with their modems to attempt illegal access. No special wire-tapping skills are required as would be the case with ATM lines although built-in systems and program security are available to thwart the hacker.
6. Auditing of Communication
Networks
The objectives of such a network audit should be to confirm for audit purposes and management that: 1. data is complete, accurate and not duplicated 2. data confidentiality is maintained 3. the network is adequate for the needs of the banks and available at all times. The approach is similar to the audit of the rest of a system: 1. fully document all networks 2. identify all the components 3. evaluate the controls and the significance of the components. The suggested approach is to consider each communications application as a combination of identifiable subsystems so that common facilities
Implications
of Electronic
Funds Transfer
21
need only be assessed once. The way the subsystems combine in each case must be examined as well. In a bank, the communication systems consist of three distinct sections: 1. the remote facility, e.g. ATM, EFTPoS terminal, home-banking terminal 2. the communications medium owned by British Telecom 3. the central computer system including ‘front end processors’. A boundary between two parts is the point at which control is relinquished by one to another. Ownership of a modem will determine which side the logical interface is, if division takes place at a modem. The key to the control of networks is remembering that the communication medium itself, whether an ordinary telephone line, leased line, microwave or satellite link, is completely insecure. British Telecom, for example, retain the right to listen to all transmissions on their line; technicians can determine the source and destination of any traffic and information can be monitored, stored and displayed in a readable format, without the clutter of protocol, quite freely. The ‘front end processing’ will probably include handling of queues of messages and the auditor should investigate how this is implemented with respect to the objectives of network audits. Queues involve stores of messages which must be secure and reliable; its operation must ensure that the messages reach the correct destination and not more than once. Some queueing systems will discard messages with incorrect addresses, e.g. IBM’s TCAM; you may wish them to be stored for analysis and recovery. When an application program receives its message or retrieves it from a queue, no assumptions should be made by the program concerning its source and authenticity. Programmed controls should be in place to allow a message to prove its authenticity. Techniques available include: a. Authentication codes - encrypted code derived from the body of the message by the sender using a key known only to the sender and destination. This leaves the message in the clear, but effectively confirms the source by the use of the correct code and catches errors and alterations introduced during transmission. Its advantage over full encryption is that the intended
22
A. Kinnon, R.H. Davis / Audit and Security Implrcaiions
action of an imposter, detected because the code is wrong, can be read in the clear rather than being indecipherable itself. b. Encryption - encoding through a certified algorithm, e.g. public key or RSA cryptosystems allow secure transmission and effective identification of the source. A method must be used to identify the source so that the correct key is used to decrypt at the destination. All encryption techniques require ‘key management’ controls to maintain security. If the key for decryption is known there is little point in encryption since in most cases the encryption/decryption algorithm is common knowledge. Comlex protocol - linked with the above it makes interception and/or imitation more difficult. Techniques available can allow the destination to tell the source which key to use for its encryption so that it changes for each transmission.
Staff Characteristics Staff should all have been vetted and carefully selected for the appropriate level of skill necessary to perform the task after training. Too much expertise may lay the system open to attack. Trust cannot realistically be given to individuals, everyone should have someone else looking over their shoulders. In a banking environment, team conspiracy should be necessary to defraud the bank, or alternatively a very high level of seniority. During 24 hour operations, full staff manning must be maintained with no reduction for nightshifts when the workload is just as high, if not higher, than during the day. Meal-breaks should be strictly controlled. If procedural rules are broken by staff the consequences could be serious and the penalties should provide a deterrent. Frequent practice of the routines necessary to bring back-up systems on-line is essential, in order to allow a smooth transition and minimal disruption to the services provided by the bank. Dual-key transactions require an accurate computer operator who enters a transaction into, say, a CHAPS terminal and a supervisor who checks the details against a second copy of authorised transactions at his own terminal. The supervisor then signals the computer to commence transmission which finalises the transfer by entry of a password not known to the first operator.
of Electronic
Funds Transfer
8. Conclusion The aim of EFT security is to develop measures sophisticated enough to prevent any invasion of a bank’s financial and communication systems, no matter how ingenious the attacker or how well equipped he may be, while allowing swift, convenient, specifically limited access to those authorised and correctly equipped to do so. Unfortunately the latter is mainly the general public which includes those who will ignore advice, however much it may be in their interest to heed it, and will allow themselves and the bank to suffer losses in the process. Security techniques take years to develop, in some cases, so it is likely that the criminals will stay a jump ahead indefinitely, unless the security experts identify weaknesses in the following areas. External
threats
The loopholes available to outside attack may be reduced further with the substitution of PINS with other methods of confirming an individual’s identity. Fingerprints are the source of investigation and it is technically possible to store information describing such a complex entity on an ATM access card itself, using laser technology. Voice prints are probably more suitable, but the technology is not at a sufficiently reliable stage and sound recording techniques of an equally imprecise nature may make it unsuitable as soon as it is developed. Internal
Threats
Internal attack is rapidly becoming more and more dangerous for the attacker unless he is at such a level of responsibility that he can dismantle controls or can succeed through some other breach of trust. Remuneration of such staff tends to discourage such action and controls still exist even at the highest levels. Control will probably never be perfect so vigilance by trained staff is necessary to reduce losses to a minimum even if they cannot be eliminated. Communications There is no indication of the level of communication and cooperation between financial institutions concerning the problems and types of frauds
A. Kinnon, R. H. Davis / Audif and Security Implications
they have encountered. It is to be hoped that there is a high level of co-ordination in the fight to defeat the computer criminal. Frauds should not be repeatable around the world and resources should not be wasted by repetition of work in development of security techniques. Controls All controls, in the final analysis, rely on human action, either directly or indirectly, and a criminally inclined person who finds an error will take advantage of it rather than reporting it. Controls also have a cost. More complex and effective controls are generally more expensive, so decisions have to be made, perhaps years before a control is developed from a basic idea whether it is worth using at all. Some losses thus become accepted as a professional hazard.
Acknowledgement Our thanks to Mr. Colin Richardson of the Bank of Scotland who answered our questions as far possible and obtained the article by K.R. Lindup which had been difficult to find.
References [l] E. Woolf:
Auditing Today, 2nd Edition. Prentice-Hall, 1982. [2] M.J. Pratt: Auditing, 2nd Edition. Longman, 1983. [3] A.J. Thomas and I.J. Douglas: Audit of Computer Systems, NCC, 1981.
of Electronic
Funds Transfer
23
[4] D.L. Cornick: Auditing in the Electronic Environment Theory, Practice and Literature. Lomond, 1981. [5] D. Hopton: Electronic Funds Transfer Systems The Issues and Implications, University of Wales Press, 1979. [6] M.Cole: Tips and Tricks from Toronto. Accountancy, October 1984, p. 68. [7] R. Dewey: Systems Auditability and Control in an EFTS Environment. AFIPS Conference Proceedings, Vol. 47 (1978) pp. 185-88. [8] C.R. Franz and S.A. Asbill: Liability Implications in Electronic Funds Transfers. Information & Management, Vol. 5, No. 2 (June 1982) pp. 87-93. [91 J.S. Hastie: The key to Resolving EFT Security Problems: The Human Problem. Proceedings of the 1984 Carnahan Conference on Security Technology, pp. 153-7. [toI K.R. Lindup: Auditing a Financial Institution Network. IIA-UK (March 1984). Pll K.R. Lindup: Auditor’s Key Role in Strengthening Network Defences. Accountancy (October 1984) p. 76. 1121D.B. Parker: Vulnerabilities of EFTS to internationally Caused Losses. Communications of the ACM, Vol. 22 No. 12 (Dee 1979) pp. 654-60. Organising the EDP Security Function. u31 E.H. Perley: Edpacs, Vol. 8, No. 10 (April 1981). Computer Security - What is the Auditor’s P41 J. Pritchard: Role? Accountancy (November 1978) p. 81. WI M. Samociuk: How Team Effort Can Outwit the Computer Raider. Accountancy (October 1984) p. 71. 1161M.B. Schwartz: Safeguarding EFTS. Datamation, Vol. 29 No. 2 (Feb 1983) pp. 148-60. ]171 J. Vacca: Money on the Move: Electronic Funds Transfer. Computerworld (USA) Vol. 18, Part 18a, pp. 83-7. [la1 Audit Commission: Computer Fraud Survey (28th March 1985), published by HMSO. Fraud: is there Cause 1191 R. Adair and S. Jewell: Computer for Concern? Public Finance and Accountancy (April 1985) (cipfa magazine) pp. 27-9. Input Frauds Still Predominant. ibid., pp. 1201 C. Hurford: 29-30. & Management Vol. 4 No. 1 (March 1981), [211 Information Special Issue - Managing and Controlling EDP in the 80’s.