... securities trader and Dmitry the money launderer etc - PowerPoint PPT Presentation

1 / 32
About This Presentation

... securities trader and Dmitry the money launderer etc


... securities trader and Dmitry the money launderer etc. But with less cash moving ... collapse of Barings Bank was described in the film 'Rogue Trader' ... – PowerPoint PPT presentation

Number of Views:106
Avg rating:3.0/5.0
Slides: 33
Provided by: richa4


Transcript and Presenter's Notes

Title: ... securities trader and Dmitry the money launderer etc

The Security of Financial Transactions
  • Introduction the security purpose of money
  • More about the history of money
  • Double entry bookkeeping
  • Banking records and data processing
  • The Clark-Wilson integrity model
  • The purpose of audit
  • Financial Transaction network protocols
  • Cryptographically anonymised money
  • Limits of digital anonymous money

The security purpose of money
  • One way to look at money is as a security
    construct. Alice has one more camel than she
    needs which Bob wants. How is Alice going to
    ensure that Bob values it at least as much as she
    does and that she can obtain something of value
    to her in return ?
  • In an ideal world where people would always
    respect property and provide others with what
    they needed, money would not be required because
    Alice would know that Bob would look after the
    camel well and that she is as likely to receive
    from others what she needs as Bob would in being
    able to use and look after the camel. Money is
    needed because people are not always honest,
    generous, economical and willing to help.

Origin of banking
  • Direct barter, e.g. getting a lump of valuable
    metal in return isn't always practical. So
    Mallory, who has a strongroom, acts as banker to
    Alice keeping the piece of gold Bob gave for the
    camel, giving her a piece of paper to indicate
    the deposit. Mallory soon discovers that the gold
    stays in his strongroom to the extent that he can
    issue 7 notes for every measure of gold with
    little risk. One banknote goes to Alice and the
    other six are either lent out by Mallory at
    interest or perhaps he might invest them himself
    by building houses for rent. If Mallory's notes
    have serial numbers on them this makes it more
    possible to trace thieves who steal them from
    Alice or forgers who make copies of them.

Money as information
  • Nowadays 97 of the money in circulation in the
    UK is in the form of chequable and electronically
    transferrable deposits and credit card limits.
    The world still contains our cast of characters
    intent on attacking the system, such as Joe
    Semtex the bank robber, Ethel the bent securities
    trader and Dmitry the money launderer etc. But
    with less cash moving around and more of the
    electronic equivalent, Joe's audacious armed
    raids on security vans are netting fewer returns
    for greater risks while Dmitry and Ethel's
    criminal activities are expanding. The increasing
    complexity of the system has given our cast of
    criminal misfits more possible modes of attack.

Security services or protection racket ?
  • The job of the financial security engineer in
    closing the increasing number of holes isn't
    getting easier. Considering the rewards Mallory
    obtained from the construction of the strongroom
    in which Alice kept her gold, we shouldn't forget
    the price that everyone else has ended up paying
    those who succeed in the task of providing
    various kinds of security or persuading those who
    thought they didn't need this that they do.
  • George Bernard Shaw "every profession is a
    conspiracy against the laity".
  • Andrew Carlan "The third law of politics is that
    power abhors a vacuum". The difference between
    lawful and unlawful security services depends
    upon who makes the laws.

Early history of money
  • Various histories (e.g. Adam Smith, "The Wealth
    of Nations") suggest that money started out as
    lumps of valuable metal. The earliest metal coins
    date from around 650 BC. If recent archaelogical
    discoveries concerning ancient forms of
    accounting are correctly interpreted, earlier
    money may have taken the more abstract form of of
    clay warehouse receipts representing the goods
    concerned 3000 years before coins were first made.

Did tax accounting precede writing ?
  • "The immediate precursor of cuneiform writing was
    a system of tokens. These small clay objects of
    many shapes--cones, spheres, disks, cylinders,
    etc.--served as counters in the prehistoric Near
    East and can be traced to the Neolithic period,
    starting about 8000 B.C. They evolved to meet the
    needs of the economy, at first keeping track of
    the products of farming, then expanding in the
    urban age to keep track of goods manufactured in
    workshops. The development of tokens was tied to
    the rise of social structures, emerging with rank
    leadership and coming to a climax with state
  • Also, corresponding to the increase in
    bureaucracy, methods of storing tokens in
    archives were devised. One of these storage
    methods employed clay envelopes, simple hollow
    clay balls in which the tokens were placed and
    sealed. A drawback of the envelopes was that they
    hid the enclosed tokens. Accountants eventually
    resolved the problem by imprinting the shapes of
    the tokens on the surface of the envelopes prior
    to enclosing them. The number of units of goods
    was still expressed by a corresponding number of
    markings. An envelope containing seven ovoids,
    for example, bore seven oval markings."
  • Denise Schmandt-Besserat

Double-Entry Bookkeeping
  • Early systems of accounting had to deal with the
    occasional corrupt insider. When business became
    too complex to trust record keeping to one person
    in one place, double-entry bookkeeping was
    invented. This still doesn't seem obvious, but
    the principle is that every transaction has to be
    recorded in one book or ledger as an asset and in
    another book as a liability. For example, a
    customer of a bank makes a cash deposit. From the
    bank's point of view, the contents of the cash
    till represents an asset, and the customer's
    deposit account is the bank's liability. It is
    obvious that the bank needs to keep score in
    terms of the deposit account. Double entry
    accounting extends to each bank branch - not just
    the business as a whole.

  • Q. Why keep a seperate record on what goes in and
    out of the cash till as well as deposit accounts
  • A. This means that the ledger recording money in
    and out of the till should correspond with the
    amount of cash in the till. Otherwise if the
    amount of money in the till is incorrect the
    discrepancy could not so easily be traced.

  • Q. But isn't a business supposed to make a
    profit and isn't this an asset ?
  • A. Yes but the profit a business makes belongs to
    its shareholders. If a bank has cash in the vault
    or owns deposits elsewhere which result from
    higher earnings than costs (i.e. profit) these
    will appear in the books as assets. Any profits
    that have been made are also immediately a
    liability that the business has to its owners the
    moment the profit is made, so if the book
    recording profits which the business owes to
    shareholders is kept up to date then all the
    books should still balance.

  • Q. What happens if a business makes a loss ?
  • A. To start with, a business needs investment.
    This asset is capital the business can use to
    launch operations before it starts making a
    profit. In the liabilities book this is what the
    business owes to its owners and creditors.
  • A business becomes insolvent when its liabilities
    exceed assets to the extent creditors have to
    reduce expectations of what the business can pay
    back, so after these adjustments are made the
    books still balance.

Banking records and data processing 1
  • Accounting master file
  • This will contain each customers current balance,
    previous transactions over a certain period, and
    a carry forward amount for the start of this
  • Ledgers
  • These track assets such as cash on their way
    through the system.

Banking records and data processing 2
  • Journals
  • These track transaction inputs from check
    sorters, cash machines etc. not yet input into
  • Audit trail
  • This records which member of staff did what and

Banking records and data processing 3
  • Batch Processing
  • A set of programs runs in sequence at the end of
    a day's business, to input data from the various
    journals to update the relevant ledgers. An
    example might be a cash deposit by a customer
    into a savings account. The relevant journals
    should include deposits into savings accounts and
    cash in and out of the till. After all the inputs
    have been used to update the ledgers, all the
    asset and liability ledgers should still balance.
    If they don't this indicates an error which is
  • The order in which batch programs are run can
    influence the outcome, e.g. making payments into
    accounts occur before payments out of them
    reduces the risk of overdrafts.

Banking records and data processing 4
  • Transaction Processing
  • The reason for having seperate journals and
    ledgers is that this enables a batch to be rerun
    based on the same starting state if a failure
    occurs prior to batch completion. Backup copies
    of all files have to be taken before a batch job
    is started, and these files determining the
    starting state of the system will be restored
    prior to a rerun.
  • Software engineers describe the approach to data
    processing where a set of related updates either
    complete as a unit or are rewound to the starting
    state as transaction processing. Preventing
    accidental discrepancies and maintaining the
    security of the system are intimately connected

Seperation of Duties
  • If double entry books are kept by different
    clerks, or computers, or sandboxed processes,
    containers or virtual machines under the control
    of different administrators, this leads to a
    situation where fraud requires the collusion of 2
    or more members of staff, otherwise known as
    "shared control".
  • This principle is extended in banking to ensure
    that one member of staff doesn't have too much
    influence over the systems that keep track of
    what they do. Giving Nick Leeson management
    control over the Barings Bank Singapore dealing
    room and back office operations at the same time
    violated this principle. The events leading up to
    this and the consequent collapse of Barings Bank
    was described in the film "Rogue Trader".

The Clark-Wilson integrity model
  • This is based on an analysis of the procedures
    adopted by the banking industry based upon the
    concepts described above, formulated into a set
    of rules.
  • The Bell-La Padua model relevant to Multi-Level
    Security is primarily concerned with information
    confidentiality. The Clark Wilson model (CWM) is
    concerned with information integrity.

Clark Wilson model terms UDI, CDI, TP
  • UDI - Unconstrained Data Item, e.g. an input to
    the system prior to authentication and
  • CDI - Constrained Data Item e.g. a validated and
    authenticated input the processing of which
    maintains accounting balance.
  • TP - Transformation Procedure. A means of
    transforming input data to output CDI which
    maintains the integrity of CDIs and which write
    enough information to an append-only CDI (audit
    trail) to enable the transaction to be

Clark Wilson model terms IVP, user, triple
  • IVP - Integrity Verification Procedure - a
    procedure used to check the validity of a CDI
    e.g. that books balance.
  • user - a subject or an agent such as a bank
    clerk, ATM engineer, forex dealer systems
    programmer, security officer, typically having
    insider access.
  • triple - Access control is by means of triples
    (user,TP,CDI) so that shared control is enforced.

Clark Wilson rules C1, C2source
  • The model consists of two sets of rules
    Certification Rules (C) and Enforcement Rules
    (E). The nine rules ensure the external and
    internal integrity of the data items. To
    paraphrase these
  • C1 - When an IVP is executed, it must ensure
    the CDIs are valid.
  • C2 - For some associated set of CDIs, a TP
    must transform those CDIs from one valid state to

Clark Wilson rules E1, E2source
  • Since we must make sure that these TPs are
    certified to operate on a particular CDI, we must
    have E1 and E2.
  • E1 - System must maintain a list of certified
    relations and ensure only TPs certified to run on
    a CDI change that CDI.
  • E2 - System must associate a user with each
    TP and set of CDIs. The TP may access the CDI on
    behalf of the user if it is "legal".

Clark Wilson rules C3, E3source
  • This requires keeping track of triples (user, TP,
    CDIs) called "allowed relations".
  • C3 - Allowed relations must meet the
    requirements of "separation of duty".
  • We need authentication to keep track of this.
  • E3 - System must authenticate every user
    attempting a TP. Note that this is per TP
    request, not per login.

Clark Wilson rules C4,C5source
  • For security purposes, a log should be kept.
  • C4 - All TPs must append to a log enough
    information to reconstruct the operation.
  • When information enters the system it need not be
    trusted or constrained (i.e. can be a UDI). We
    must deal with this appropriately.
  • C5 - Any TP that takes a UDI as input may
    only perform valid transactions for all possible
    values of the UDI. The TP will either accept
    (convert to CDI) or reject the UDI.

Clark Wilson rules E4source http//en.wikipedia.
  • Finally, to prevent people from gaining access by
    changing qualifications of a TP
  • E4 - Only the certifier of a TP may change
    the list of entities associated with that TP.

Limitations of Clark-Wilson 1
  • This policy formulation only goes so far in
    protecting a system against dishonest insiders.
    Rule C3 requires a "seperation of duties" but
    doesn't specify what this means.
  • Another problem referred to by Ross Anderson in
    "Security Engineering", Wiley 2001 is that some
    transactions require more than one TP in order to
    be fully validated, e.g. a chequing account that
    requires 2 signatures. This can result in a
    pending transactions file, where there would
    normally be an expectation that entries in this
    ledger are completed or removed within a limited
    period of time, e.g. 3 days.

Limitations of Clark-Wilson 2
  • Anderson describes an attack where a bank clerk
    siphoned money out of the system into a friend's
    account from a suspense account into which new
    transactions were continually input to cover the
    imbalance. Eventually the clerk responsible for
    the fraud became unable to keep track of the
    growing number of transactions. Having a rule
    where every bank employee has to take at least
    one week's holiday every 6 months reduces the
    risk of someone being able to maintain this kind
    of juggling act without being noticed for very

The purpose of Audit
  • It's one thing for an organisation to keep books
    and records. It's another for these records to
    pass muster by an independant and experienced
    professional who comes in unannounced at any time
    to check them and confirm whether or not the
    records correspond to reality. Banks do this more
    frequently using internal auditors, but accounts
    of all organisations over a certain size will
    have to be externally audited once a year. In
    practice auditors will tend to check samples of
    activity. The purpose of an audit isn't to prove
    that a system contains no errors, but to carry
    out spot checks which help encourage participants
    to stay honest and alert, by risking detection of
    any dishonesty or sloppy oversight through audit

Financial Transaction network protocols
  • In any protocol that involves a sequence of
    messages between the initiator (client), and the
    responder, (server) it is possible for the last
    message in the protocol to be lost. The sender
    and receiver of this last message are now in
    different states concerning the same transaction.
  • For some purposes, e.g. sending an email, the
    client might simply resend later. This can result
    in the same email being sent once but received 1
    or more times.
  • Financial protocols have to be stateful, to avoid
    missed or duplicate payments. The final message
    can be re-requested later until both initiator
    and respondent are in certain and compatible
    states concerning an identified transaction.

Anonymous money 1
  • Probably the most useful form of anonymous money
    currently is conventional cash. You don't have to
    know who is spending it to authenticate it when
    you accept it, and you don't have to say who you
    are when you spend it.
  • But cash isn't used for Internet purchases. In
    the early 1990ies, a number of libertarians
    designed, developed and campaigned for the
    concept of digital anonymous cash. This digital
    money was cryptographically "blinded" so as to
    prevent the bank knowing who was paying how much
    for what, while including protocols preventing
    double spending of digital tokens.

Anonymous money 2
  • One reason why anonymous digital cash may be less
    neccessary than advocates including Hettinga and
    Chaum suggested is due to data protection laws
    preventing unwarranted use by banks of customer
    records. Another factor concerns the improved
    security the bank customer obtains precisely from
    the accounting carried out by the bank.
    Sacrificing this for anonymity is likely to be
    something few will feel the need to do other than
    for small payments.

The Bitcoin network
  • This involves cryptographic discovery and signing
    of special numbers or 'Bitcoins' which results in
    proof of work. Initial and earlier 'mining'
    efforts were more productive of new valid
    Bitcoins than later as there exist a finite
    amount to be discovered. Validation of the next
    transaction block results in knowledge of which
    cryptography keys control which identified
    Bitcoins. This involves network 'consensus'
    between those engaged, so security depends upon
    no single party or conspiracy being able to
    establish a majority vote.
  • Accepting and spending these in a genuinely
    'anonymous' way seems difficult, as is securing a
    wallet. Dealers between Bitcoins and other
    currencies are at risk of conventional payment
    repudiation unless contract terms enforce use of
    cleared funds only. Some have likened this
    network to a Ponzi scheme as holder belief in
    value and lack of underwriting creates similar
    financial characteristics.

Limits of anonymous finance
  • Electronic cash can probably never provide
    absolute anonymity because this conflicts with
    Carlan's third law of politics, that "power
    abhors a vacuum". The state would use any means
    at its disposal to close down those visibly
    underwriting a financial system sufficiently
    anonymous to be usable for an assassination
    market, because the latter would directly
    conflict with a primary purpose of the state. If
    the network were not underwritten, the state
    would pursue those advertising acceptance of
    anonymous payments.
  • This doesn't prevent development of useful
    payment systems e.g. based upon the London Oyster
    Card where the recipient of small amounts of
    money can't identify the person making the
Write a Comment
User Comments (0)
About PowerShow.com