Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

- Nebraska AFP

advertisement 
2009 Treasury Management
Conference
epcore and Nebraska AFP
Fred Laing, II
UMACHA






Why is data security so important?
How does this impact the ACH Network?
What do the ACH Rules say?
Where do ACH transactions go anyway?
What are the vulnerabilities?
What can we do about them?









In 2008, 9.9 million people were victims of identity theft, up 22%
over 2007 Congressional Research Service - May 2009
53 million people (including consumers, employees, students and
patients have had data exposed about themselves in a 13 month
period Information Week -2006
There were 158 data breaches recorded in 2005, 312 in 2006, and
446 in 2007 Information Week - Jan. 2008
24% of consumers report shopping less online Visa -2006
44 States have enacted some sort of Data Breach Law ABA - 2009
Fraud is now the top reason given for charge backs on several
networks Am. Banker -2006
A hacker was indicted for stealing 130 million credit card numbers
Information Week - August 2009
43.4% of U.S. adults have received a phishing e-mail and almost 5%
of those attacks are successful First Data Report – 2006
The FBI’s Internet Fraud Crime Report recorded 207,492 complaint
submissions in 2006

Failures Of Business to Protect Consumers:
◦ Network Solutions had a group of hackers break into their Web Servers and steal
573,000debit and credit card numbers in July of 2009.
◦ Suncoast Schools Federal Credit Union is reissuing 56,000 debit cards after the just
recently determined that the Heartland breach had affected them.
◦ University of North Dakota had a computer stolen in Charleston (last year!) with the
personal records of over 84,000 donors. This was reported in June, 2009.
◦ Aetna had a breach resulting from a Spam campaign that included the loss of 65,000
Social Security numbers. They are being sued! (class action) – May, 2009.
◦ Virginia Department of Health along with the FBI and the Virginia State Police are
searching for hackers who demanded a $10 Million ransom for return of medical
prescription records (many including SS#’s) on 530,000 individuals – May 2009
◦ Checkfree had 160,000 consumer bill payment accounts exposed out of 5 million –
they don’t know which ones! – Jan. 2009
◦ And don’t forget:




Ameritrade - 200,000 personal records
LexisNexis - 310,000 potential victims
Bank of America - missing over a million records
ChoicePoint, DSW, HSBC, TJX, Hannaford, Certegy………………………….






TJX – 45.7 Million C.C. records, costs are in the 100’s of
millions
ChoicePoint – $15 Million in losses
Hannaford Bros. – 4.2 Million records stolen, 1,800 cases of
Fraud reported
Certegy – 8.5 Million records compromised – internally
generated
Heartland – over 200 financial institutions affected, well over
1 million consumers
Only three financial institution breaches so far this year (not
counting Heartland) – there were twelve last year
(privacyrights.org)

Business
◦
◦
◦
◦
◦
◦
◦

Employee dishonesty
Poor controls (access, dual controls, storage)
Faulty or old hardware and/or software
Inappropriate internal security
Poor, or no encryption
Whaling, spear-phishing
Bad or no security policies
Consumer
◦
◦
◦
◦
Phishing, pharming, etc.
Family dishonesty
Inappropriate downloads
No or old virus software, anti-spyware, firewalls, etc.
6
Source: Antiphishing.org




PCI-DSS for cards
ACH Rules include some requirements for
ACH
Wire is through Federal Reserve Circulars
Paper???????
◦ Image/RDC – Depends on the network or vendor
8
Authorization
Posting
Dollars
Cardholder
Merchant
Acquirer
Settlement
Network
Business
Organization
Issuer
Processor
9

Developed from the VISA Digital Dozen:
1. Install and maintain a firewall configuration to
protect cardholder data
2. Do NOT use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
10
7.
8.
9.
10.
11.
12.
Restrict access to cardholder data by
business need-to-know
Assign a unique ID to each person with
computer access to data
Restrict physical assess to cardholder data
Track and monitor all access to network
resources and cardholder data
Regularly test security systems and
processes
Maintain a policy that addresses
information security
11




Most fraud is in the payments area (check,
C.C. debit card, etc.)
ACH is the fastest growing payment network
All that’s needed is an ENTRY point
TEL in 2003
◦ Return rates in the 50% range
◦ Unauthorized rates close to 15%
We need to keep it that way
Receiver
14



UCC 4A requirement – Commercially
Reasonable Security Procedures between the
ODFI and originator
Operator security requirements (encryption
and access)
Limited access – YOU HAVE TO HAVE A
FINANCIAL INSTITUTION THAT AGREES TO
ORIGINATE FOR YOU!!!
15

In “standard” ACH products very limited
◦ Access to the network s/b difficult if ODFI/Co. is managing their risk
appropriately
 (KNOW YOUR CUSTOMER!!)

Electronic Check Products
◦ ARC – Limited loss potential (why would someone else pay my bill?)
◦ RCK – Item has already been returned, but only for NSF or uncollected funds
– limited liability
◦ POP – Significant potential for loss
 For spontaneous purchases at the point of sale
 Check given back to the consumer
 Signature required on a separate authorization
 Fraudster has the evidence
 NO reasonable fraud management processes in place to date
◦ BOC – Mix of ARC and POP from a vulnerability standpoint

WEB –
◦ Fraudulent merchants
◦ Consumers using fraudulent payment data
◦ Poor authentication procedures

TEL –
◦ Fraudulent merchants
◦ Consumers using fraudulent payment data
◦ Incomplete verification processes

Section 1.6 – Transmission of ACH
Information Via Unsecured Electronic
Networks
◦ 128-bit RC4 encryption for all ACH data that is transmitted
or exchanged between any and all parties

Section 2.11.2.5 – WEB Annual Audit
◦ Physical Security
◦ Personnel and Access Controls
◦ Network Security

Physical

Network
◦ Who has access to the terminals used to support your on-line banking?
◦ How do they “get” into the space to access their terminal?
◦ What policies and procedures are in place to ensure your space is
secure?
◦ Where is your data stored and how secure is that space?
◦ If information is printed, where is that stored, when is it destroyed?
◦ Do you have Uninterruptible Power Supplies installed?
◦ Consider closed circuit TV’s or other monitoring devices
◦
◦
◦
◦
◦
◦
◦
◦
Virus software
Firewalls
Disable all unused ports
Automatic log-outs after a certain amount of inactivity
Change all vendor supplied passwords (administrator, password, etc.)
Encrypt all data when moved and when stored
Use a VPN whenever possible
Install updates as soon as they are published

Personnel and Access Controls
◦ Password Controls
 Changed on a regular basis
 Of a specified length and character type
 Specify HOW they are kept secure
Key fob’s (the ARE responsible for their FOB!)
Biometric devices
Personnel screening when hiring is done
Dual control on all processes that require handling of
sensitive information
◦ Establish a security policy and have each employee read
and sign that they have read it
◦ Have an employee awareness training program (they
need to know you care…..and that you are watching
◦
◦
◦
◦

ACH Network Data Security Self Assessment
Workbook
◦ Began with a review of the VISA digital dozen
◦ Key sections in the workbook
 Computing your Information Risk Profile (questionnaire
based – borrowed from PCI)
 Controls for high to medium risk originators
 Controls for low risk originators
 Case studies and checklists


TIC looked at where we have security built in
and where we do not
Project looked at ACH transactions end-toend
◦ Receivers information at authorization
◦ Movement of data from ODFI to ACH operator to
RDFI for posting
◦ Third party involvement
◦ Data at rest (during storage and then destruction)


HOW is the information moved?
How is it stored at each point?
◦ How long does each point retain the information?




What data is moved?
What data is stored?
Where is that data, and in how many forms or
formats?
How is that data finally destroyed?


Verification of who you’re doing business
with – makes fraud or a breach much less
likely…..so how do you authenticate?
Face-to-face:
◦ Drivers License, passport, Gov’t ID card, biometric

Virtual:
◦ User ID, Password, token, Digital Certificate
A number of authentication methods were tested in the recent past, but
per-installed user costs have proved too daunting for most
$75
Smartcard/
Secure PinPad/
Certs
Biometrics
PKI in Software
Certs
Mag-stripe/
Secure PINPad/
Smartcard/
Certs
Secure PINpad
PKI
Mag-stripe/
Secure PINPad
Install
Cost/
User
RSA SecurID/
Pswd/PIN
CD/ROM
2001-2002
Zone of
Acceptance
PKI in Software/
Password
PKI in Software/
Password +
Encrypted
Hash TxnID
Password Access/
ATM Register
$0
Low
Level of Security
High
Source: BetterBuyDesign, 2001
Yet there were no real changes in the mix—just a proliferation of “wouldbe” alternatives that have yet to achieve any real traction
$45
Smartcard/
Secure PinPad/
Certs
Mag-stripe/
Secure PINPad/
Smartcard/Certs
PKI in Software
Secure PINpad
Certs
PKI
Mag-stripe/
Biometrics
Secure PINPad
Install
Cost/
User
RSA SecurID/
Pswd/PIN
2005
Zone of
Acceptance
Password Access/
$0
Low
PKI in Software/
Password
Encrypted
3-D-Secure
Hash TxnID
CD/ROM
Host-supplied
encryption
Machine and
Device IDs
Level of Security
High
Source: BetterBuyDesign, 2001
Information Fraud: Sensitive Information Movement
Security is a TOTAL System, Process, and Procedure Issue!!
DR
WAN
Data warehouse
Business Analytics
WW Campuses
Back up
tape
WWW
WW Customers
Customer Portal
Production Data
Disk storage
WAN
WW Partners
Outsourced Development
Back up
disk
Staging
File Server
Remote Employees
Endpoint
VPN
Enterprise email
Network
Applications
Files
28
Storage
Information Fraud: Specific Risks
Device Theft
DR
Media Theft
Unauthorized
Activity
Data warehouse
WA
N
Media Loss
Business Analytics
WW Campuses
Unauthorized
Access
Intercept
Takeover
Unauthorized
Access
Back up
tape
Unavailability
WWW
WW
Customers
Fraud
Customer portal
Eavesdropping
Unintentional
WW Partners
Distribution
WA
N
Outsourced Development
Data Loss
Remote
Device
Loss Employees
Production Data
Corruption
Unauthorized
Activity
VPN
Staging
Data Theft
Disk storage
Back up
disk
File Server
Enterprise email
DOS
Endpoint
Network
Applications
Files
29
Storage






For every step taken to secure data the
hacking community will find a vulnerability
Our job; keep one step ahead!
Know your customer, and your customers
customer’s (KYC)
Have good technical resources available
Strong policies and procedures internally
Employee training, and more training!!
Fred Laing, II
UMACHA
7100 Northland Circle, Suite 407
Brooklyn Park, MN 55428
(763) 549-7000
Fredl@umacha.org
Related documents
Assessing progress and attainment without levels
Assessing progress and attainment without levels
Application Instructions
Application Instructions
Security Bank of California will never initiate contact with you via e
Security Bank of California will never initiate contact with you via e
Fraud - Are You At Risk
Fraud - Are You At Risk
Download
advertisement