| Security Management [5 marks] Suppose you work for a large bank that is introd
ID: 3907166 • Letter: #
Question
| Security Management [5 marks] Suppose you work for a large bank that is introducing an exchange for electronic currency (such as Bitcoin). The exchange will allow users to buy and sell the electronic currency using Australian dollars. List some security threats that you would need to guard against, and for each one explain why it is a concern in this particular situation a) b) [3 marks] Develop a risk evaluation matrix for the threats that you identified in part (a). [7 marks] Prepare some draft recommendations for the management of the bank explaining to them how they might guard against the risks that you identified in part (b). c)Explanation / Answer
Answer:
Here are some Security threats :
a. Spoofing payment information and phishing
We'll start with regular issues, for example, plain old burglary. Suppose you're transferring cash to a companion. You duplicate his wallet address accurately, yet malware replaces the address in the clipboard with another one. Only one out of every odd user is vigilant and twofold checks an address after duplicating it. Especially if the address is a long confuse of characters.
Or on the other hand take phishing, for another example. As with ordinary e-cash, users can be deceived into setting off to a phishing site where they upload their cryptowallets and enter a password.
Obviously, users of a traditional bank or payment framework can also keep running into issue with cyberthieves. In any case, with a traditional framework there is always a fairly decent chance of canceling the transfer. On account of cryptocurrencies, you should attempt to complain to the United Nations. What happens in blockchain stays in blockchain.
b. Hacking a payment gateway
Over that, notwithstanding utilizing a bona fide payment gateway with the right address can bring about lost cash. In June 2017, the most popular Web wallet for the Ethereum Classic digital currency, with the original address https://classicetherwallet.com/, abruptly started stealing cash from users' wallets.
Turned out, hackers had utilized social-designing strategies to persuade the facilitating supplier that they were the real domain proprietors. After gaining access, they started blocking cash streams.
Fortunately, the strategy those hackers utilized wasn't the best — they replaced the payees immediately, consequently rapidly ruining their disguise and managing to steal just $300,000 in several hours. On the off chance that they had gathered the wallets and waited a while, they would have remained undetected for a considerable measure longer, and the damage probably would have been far more awful.
In all fairness, classic financial administrations can also fall prey to that sort of attack. For example, in Brazil this year, hackers hijacked an entire bank.
c. User address error
The previous cases were typical electronic-cash issues, however as we've already said, cryptocurrencies add their own wrinkles. For example, there is a hazard that's quite certain to cryptocurrencies — loss of cash because of an error in the address to which the cash transfer is made.
On account of Ethereum, if the last digit of the address wasn't duplicated, the cash would disappear like a phantom. Or on the other hand it would go where it should, however the amount you proposed to transfer would be it increased by 256.
That error isn't relevant to Bitcoin; its framework has worked in address validation. Be that as it may, in Bitcoin, you may send cash to a secret beneficiary — how does losing 800 bitcoins strike you? (that's about $3.2 million at the exchange rate on September 28, 2017). Or on the other hand you could accidentally pay an expense of 80 bitcoins (about $320,000). To be fair, that sort of mistake is far-fetched with a popular Bitcoin customer; in those cases it's feasible individuals were utilizing something homemade.
d. Loss of a wallet file
There's one more issue that is typical of cryptocurrencies: misfortune or robbery of a wallet. Most users store their digital currency wallet files on their PCs. Therefore, they can be stolen utilizing malware or lost if the hard circle crashes.
So most advanced users make hard duplicates of their mystery key and purchase USB hardware wallets. Yet, the quantity of such users is small.
The situation with "centralized" e-cash is far better at exhibit. It's the rare Internet bank that doesn't require two-factor authentication and confirmation of transactions utilizing SMS with one-time-utilize passwords. And on account of corporations or large amounts, the utilization of a USB token is mandatory.
e. Uncertain ICOs
In 2017, putting resources into ventures associated with a blockchain or cryptocurrencies became extremely popular among cryptographic money holders. This kind of fundraising is called an ICO — Initial Coin Offering.
You can learn more about how all this happens, what the Ethereum arrange is, and how smart contracts work, in our past post on the theme, so we won't repeat the technical details here. The upshot is that utilizing cryptocurrencies has made it easy to raise outrageous amounts of assets with just an Internet association. More than $1.7 billion has already been raised through ICOs in 2017. You don't hear much about effective tasks, yet speculators are as yet idealistic.
What's the issue, at that point? The issue is that the cryptographic money market still isn't regulated using any and all means, there are no hazard assessment mechanisms, and there is no guarantee — like at all — of profit for speculations, aside from the expression of respect of individuals who came up with the task.
Generally speaking, the fact that someone has an idea doesn't mean the idea is great or even feasible, that the subsequent item will make a benefit, or that the author will actually spend the cash on executing it rather than on paying the chief (himself). Ultimately, he may basically make off with the cash, knowing it's not easy to track down and de-anonymize a payee on the digital money market.
f. Spoofing a user address
Sometimes, a cash grabbing plan is considerably more straightforward. Gathering of assets in an ICO usually opens at a predetermined time and closes when the required amount has been gathered. The accumulation address is posted on the task site when it opens (it's not necessary, simply normal practice).
Amid one ICO, a hacker gain admittance to the undertaking site and as soon as accumulation opened, he replaced the address with his own. Inside 60 minutes, 2,000 participants had tossed in $8 million. At that point the address was flagged as fake. In any case, even that didn't stop the eager crypto-financial specialists — a great deal of them kept on transferring cash to the same fake address, and the hacker got another $2 million that day.
DEAR PLEASE DO RATE IT IF HELPS ELSE LET ME KNOW YOUR DOUBT.
THANK YOU!!!
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.