For Payments, the Best Offense
is a Multi-Tiered Security and
Policy-Based Defense
Dan Miner, CTP – General Manager, Treasury Services,
3Delta Systems
Friday, June 8, 2012
10:10 – 11:00 AM
Plaza B
LEGAL DISCLAIMER
Nothing we discuss today constitutes legal advice. For any specific
questions, seek the independent advice of your attorney. Furthermore,
lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse
molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros
lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in
vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla
facilisis at vero eros lorem ipsumautem vel eum iriure dolor in hendrerit in
vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla
facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in
hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu
feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum
iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum
dolore eu feugiat nulla…
Consumerization of the Workspace
Data: anywhere, anytime on any device

Devices
»
»
»

BYOD
»
»

Tablet PCs
Smart phones
Home systems used to access work assets
Angry Birds, anyone? Fun. Harmless (probably…)
How about “DroidDream”?
Social Media
»
Used as a recon base for phishers
The Fine and Ancient Art of Phishing
I don’t think I bought this….
Oh, NO! My Google Adwords
have stopped working.
Better get right on that!
And, Now I Am Getting Sued
(by illiterates).
Trough?
And, I can’t even get paid…
From:payments@nacha.org [mailto:payments@nacha.org]
Sent: Tuesday, February 22, 2011 7:32 AM
To: Doe, John
Subject: ACH transaction rejected
The ACH transaction, recently sent from your checking account (by you or any
other person), was cancelled by the Electronic Payments Association.
Please click here to view report
------------------------------------------------------------------
Otto Tobin,
Risk Manager
===================
Compromises At All-Time High
 More breaches,
»
»
less stolen data?
Number of breaches almost doubled since 2010
Verizon Data Breach Report
However, record loss decreases
»
361 million >> 144 million >> 4 million
Verizon 2011 Data Breach Investigations Report
Compromises At All-Time High

It appears that cybercriminals are currently satisfied with
compromising Point-of-Sale (POS) systems and performing account
takeovers and Automated Clearing House (ACH) transaction fraud.

There has been an increase in these areas in 2010. In relation to prior
years, it appeared that there were more data breaches in 2010, but
the compromised data decreased due to the size of the compromised
company’s databases.

This shows willingness in the cybercriminal underground to go after
the smaller, easier targets that provide them with a smaller yet steady
stream of compromised data.
Verizon 2011 Data Breach Investigations Report
Compromises At All-Time High

There’s been a noticeable increase in account takeovers.

This can be directly related to the continued rise of the Zeus Trojan
and other malware variants created to capture login credentials to
financial websites.

These account takeovers result in fraudulent transfers from the
victim’s account to an account under the control of the perpetrator.
Verizon 2011 Data Breach Investigations Report
Increased Scrutiny and Liability
Data Collection/Use

Explosion in use of mobile phones and apps has led to increased scrutiny of
how providers and application developers are collecting, using and sharing
mobile data.

WSJ articles and high-profile breaches spawned a series of congressional
inquiries and hearings regarding companies’ data collection, use and sharing
practices.
»
August 2010 – Congress asked 15 companies re: online behavioral tracking
»
October 2010 – Congress asked Facebook re: sending user identifiers to app
developers
»
April 2011 – Congress asked Apple re: location data on iPhones and iPads
»
May 2011 – Sen. Franken sent letters to Apple and Google asking companies to
require all apps for Apple’s iOS and Google’s Android OS
have privacy policies
Legislative and Regulatory Activity
Pending cybersecurity bills in last Congress numbered over 45…
and many (at least 42) already pending in the 112th Congress, including










Cybersecurity and Internet Freedom Act of 2011 (S.413)
S. 21 - Cyber Security and American Cyber Competitiveness Act of 2011
S. 1151 Personal Data Privacy and Security Act of 2011
S. 1223 Location Privacy Protection Act of 2011
S. 1408 Data Breach Notification Act of 2011
S. _____ Cloud Computing Act of 2011
S. _____ Legislation on Securing the U.S. Electrical Grid
H.R. 174 - Homeland Security Cyber and Physical Infrastructure Protection Act
H.R. 2096 – Cybersecurity Enhancement Act of 2011
H.R. 2577 – Secure and Fortify Electronic (SAFE) Data Act
Legislative and Regulatory Activity
Regulatory

OCC Guidance re application security (OCC 2008-16)

HIPAA Security Rule updates (NIST 800-66)

Proposed FTC Privacy Framework (December 1, 2010)

International: EU Cookie Law

FFIEC Guidance supplement to the Authentication in an Internet
Banking Environment guidance
Selected Litigation Example
Experi-metal v. Comerica (2011). Successful phishing attack
led to over $9MM in fraudulent transfers; lawsuit by
business against bank; judge rules for business stating
“[t]his trier of fact is inclined to find that a bank dealing
fairly with its customer, under these circumstances, would
have detected and/or stopped the fraudulent wire activity
earlier.
PCI DSS –
Penalties for Non-Compliance

Failure to comply (or certify compliance) with the PCI DSS may
result in fines

Fines for non-compliance can be up to $5K - $10K per month

If you have a data breach and are not PCI-compliant, fines can be
as high as $500K (MasterCard®) or $750K (VISA®)
»

Merchants may also be responsible for any fraudulent charges
resulting from the breach and the costs of re-issuing any cards
compromised during the breach
In theory, you can be precluded from accepting credit/debit cards
if your compliance deficiencies are bad enough
FFIEC Guidance Summary

Not every online transaction poses the same level of risk.
»
Retail/Consumer Banking: Since the frequency and dollar amounts
of these transactions are generally lower than commercial
transactions, they pose a comparatively lower level of risk.
»
Business/Commercial Banking: Online business transactions
generally involve ACH file origination and frequent interbank wire
transfers. Since the frequency and dollar amounts of these
transactions are generally higher than consumer transactions, they
pose a comparatively increased level of risk to the institution and
its customer.
FFIEC Guidance Summary

Financial institutions should implement layered security,
utilizing controls consistent with the increased level of risk for
covered business transactions.

Recommend that institutions offer multifactor authentication
to their business customers.
FFIEC Layered Defense Suggestions
Technical Countermeasures Emphasize
Enhanced Authentication

Dual customer authorization through different access devices

Out-of-band verification for transactions

"Positive pay," debit blocks, and other techniques to
appropriately limit the transactional use of the account

Internet protocol [IP] reputation-based tools to block
connection to banking servers from IP addresses known or
suspected to be associated with fraudulent activities
FFIEC Layered Defense Suggestions
Policy/Activity-Based Countermeasures
Emphasize Usage Management

Fraud detection and monitoring systems that include
consideration of customer history and behavior and enable a
timely and effective institution response

Enhanced controls over account activities, such as transaction
value thresholds, payment recipients, number of transactions
allowed per day and allowable payment windows [e.g., days
and times]
FFIEC Layered Defense Suggestions
Policy/Activity-Based Countermeasures
Emphasize Usage Management (con’t.)

Policies and practices for addressing customer devices identified as
potentially compromised and customers who may be facilitating
fraud

Enhanced control over changes to account maintenance activities
performed by customers either online or through customer service
channels

Enhanced customer education to increase awareness of the fraud
risk and effective techniques customers can use to mitigate the risk
Layered Security Model

Begin with the assumption your client’s systems are
compromised.
»

Can you do business?
Contemporary systems are being developed to robustly and
repeatedly answer:
»
»
»
»
Who are you? (Authentication)
Where can you go in the system? (Authorization)
What can you see when you get there? (Authorization)
What can you do when you get there? (Authorization)
Layered Security Model

And allow these rights and permissions to be assigned at
various levels through the organization with vigorous
logging and auditing capability (Accounting)
Layered Security Model:
Data Tokenization
Why do ants show up at a picnic? It’s where the food is.

Investigate new methods of reducing risk such as data
tokenization as means of removing the valuable and risky data
from systems
»
Valuable data is replaced by value-less data: Credit card number
“4111 1111 2222 3333” is replaced by “PG43J74F” or otherwise
useless-to-the-criminal values
»
Tokenization reduces the scope of PCI efforts as the presence of
a “cardholder data environment” can be reduced or eliminated
Summary

Corporate risk management is really getting interesting
»
The number of devices and systems that directly or indirectly
access financial systems are exploding and innovation is
outstripping controls
»
Criminal malware is very good, very prevalent, and very hard to
detect
»
Account takeover cases are exploding
Summary (con’t.)


Legal and regulatory consequences and impacts on corporate
operations are numerous, complex and ambiguous. Rights
and responsibilities are still being defined.
»
Corporate as a consumer of banking / financial services
»
Corporate as the provider of systems to its customers
Layered security and control models emphasizing multiple
measures and countermeasures are the recommended
solution
Questions / Discussion
Presenter
Dan Miner, CTP
General Manager, Treasury Services
3Delta Systems, Inc.
Dan.Miner@3DSI.com
(w) 703.234.6016
www.3DSI.com