For Payments, the Best Offense is a Multi-Tiered Security and Policy-Based Defense Dan Miner, CTP – General Manager, Treasury Services, 3Delta Systems Friday, June 8, 2012 10:10 – 11:00 AM Plaza B LEGAL DISCLAIMER Nothing we discuss today constitutes legal advice. For any specific questions, seek the independent advice of your attorney. Furthermore, lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsumautem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla… Consumerization of the Workspace Data: anywhere, anytime on any device Devices » » » BYOD » » Tablet PCs Smart phones Home systems used to access work assets Angry Birds, anyone? Fun. Harmless (probably…) How about “DroidDream”? Social Media » Used as a recon base for phishers The Fine and Ancient Art of Phishing I don’t think I bought this…. Oh, NO! My Google Adwords have stopped working. Better get right on that! And, Now I Am Getting Sued (by illiterates). Trough? And, I can’t even get paid… From:payments@nacha.org [mailto:payments@nacha.org] Sent: Tuesday, February 22, 2011 7:32 AM To: Doe, John Subject: ACH transaction rejected The ACH transaction, recently sent from your checking account (by you or any other person), was cancelled by the Electronic Payments Association. Please click here to view report ------------------------------------------------------------------ Otto Tobin, Risk Manager =================== Compromises At All-Time High More breaches, » » less stolen data? Number of breaches almost doubled since 2010 Verizon Data Breach Report However, record loss decreases » 361 million >> 144 million >> 4 million Verizon 2011 Data Breach Investigations Report Compromises At All-Time High It appears that cybercriminals are currently satisfied with compromising Point-of-Sale (POS) systems and performing account takeovers and Automated Clearing House (ACH) transaction fraud. There has been an increase in these areas in 2010. In relation to prior years, it appeared that there were more data breaches in 2010, but the compromised data decreased due to the size of the compromised company’s databases. This shows willingness in the cybercriminal underground to go after the smaller, easier targets that provide them with a smaller yet steady stream of compromised data. Verizon 2011 Data Breach Investigations Report Compromises At All-Time High There’s been a noticeable increase in account takeovers. This can be directly related to the continued rise of the Zeus Trojan and other malware variants created to capture login credentials to financial websites. These account takeovers result in fraudulent transfers from the victim’s account to an account under the control of the perpetrator. Verizon 2011 Data Breach Investigations Report Increased Scrutiny and Liability Data Collection/Use Explosion in use of mobile phones and apps has led to increased scrutiny of how providers and application developers are collecting, using and sharing mobile data. WSJ articles and high-profile breaches spawned a series of congressional inquiries and hearings regarding companies’ data collection, use and sharing practices. » August 2010 – Congress asked 15 companies re: online behavioral tracking » October 2010 – Congress asked Facebook re: sending user identifiers to app developers » April 2011 – Congress asked Apple re: location data on iPhones and iPads » May 2011 – Sen. Franken sent letters to Apple and Google asking companies to require all apps for Apple’s iOS and Google’s Android OS have privacy policies Legislative and Regulatory Activity Pending cybersecurity bills in last Congress numbered over 45… and many (at least 42) already pending in the 112th Congress, including Cybersecurity and Internet Freedom Act of 2011 (S.413) S. 21 - Cyber Security and American Cyber Competitiveness Act of 2011 S. 1151 Personal Data Privacy and Security Act of 2011 S. 1223 Location Privacy Protection Act of 2011 S. 1408 Data Breach Notification Act of 2011 S. _____ Cloud Computing Act of 2011 S. _____ Legislation on Securing the U.S. Electrical Grid H.R. 174 - Homeland Security Cyber and Physical Infrastructure Protection Act H.R. 2096 – Cybersecurity Enhancement Act of 2011 H.R. 2577 – Secure and Fortify Electronic (SAFE) Data Act Legislative and Regulatory Activity Regulatory OCC Guidance re application security (OCC 2008-16) HIPAA Security Rule updates (NIST 800-66) Proposed FTC Privacy Framework (December 1, 2010) International: EU Cookie Law FFIEC Guidance supplement to the Authentication in an Internet Banking Environment guidance Selected Litigation Example Experi-metal v. Comerica (2011). Successful phishing attack led to over $9MM in fraudulent transfers; lawsuit by business against bank; judge rules for business stating “[t]his trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. PCI DSS – Penalties for Non-Compliance Failure to comply (or certify compliance) with the PCI DSS may result in fines Fines for non-compliance can be up to $5K - $10K per month If you have a data breach and are not PCI-compliant, fines can be as high as $500K (MasterCard®) or $750K (VISA®) » Merchants may also be responsible for any fraudulent charges resulting from the breach and the costs of re-issuing any cards compromised during the breach In theory, you can be precluded from accepting credit/debit cards if your compliance deficiencies are bad enough FFIEC Guidance Summary Not every online transaction poses the same level of risk. » Retail/Consumer Banking: Since the frequency and dollar amounts of these transactions are generally lower than commercial transactions, they pose a comparatively lower level of risk. » Business/Commercial Banking: Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer. FFIEC Guidance Summary Financial institutions should implement layered security, utilizing controls consistent with the increased level of risk for covered business transactions. Recommend that institutions offer multifactor authentication to their business customers. FFIEC Layered Defense Suggestions Technical Countermeasures Emphasize Enhanced Authentication Dual customer authorization through different access devices Out-of-band verification for transactions "Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities FFIEC Layered Defense Suggestions Policy/Activity-Based Countermeasures Emphasize Usage Management Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day and allowable payment windows [e.g., days and times] FFIEC Layered Defense Suggestions Policy/Activity-Based Countermeasures Emphasize Usage Management (con’t.) Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk Layered Security Model Begin with the assumption your client’s systems are compromised. » Can you do business? Contemporary systems are being developed to robustly and repeatedly answer: » » » » Who are you? (Authentication) Where can you go in the system? (Authorization) What can you see when you get there? (Authorization) What can you do when you get there? (Authorization) Layered Security Model And allow these rights and permissions to be assigned at various levels through the organization with vigorous logging and auditing capability (Accounting) Layered Security Model: Data Tokenization Why do ants show up at a picnic? It’s where the food is. Investigate new methods of reducing risk such as data tokenization as means of removing the valuable and risky data from systems » Valuable data is replaced by value-less data: Credit card number “4111 1111 2222 3333” is replaced by “PG43J74F” or otherwise useless-to-the-criminal values » Tokenization reduces the scope of PCI efforts as the presence of a “cardholder data environment” can be reduced or eliminated Summary Corporate risk management is really getting interesting » The number of devices and systems that directly or indirectly access financial systems are exploding and innovation is outstripping controls » Criminal malware is very good, very prevalent, and very hard to detect » Account takeover cases are exploding Summary (con’t.) Legal and regulatory consequences and impacts on corporate operations are numerous, complex and ambiguous. Rights and responsibilities are still being defined. » Corporate as a consumer of banking / financial services » Corporate as the provider of systems to its customers Layered security and control models emphasizing multiple measures and countermeasures are the recommended solution Questions / Discussion Presenter Dan Miner, CTP General Manager, Treasury Services 3Delta Systems, Inc. Dan.Miner@3DSI.com (w) 703.234.6016 www.3DSI.com