Security

advertisement
Financial Data Protection
Financial Data Protection





Financial Data is an Asset??!!
The Compromise
Your Bank’s Security
The Weakest Link
Solutions for Safety
Our Most Valuable Asset…….
Before the Internet
Today’s Valuable Assets
Personal Financial Data =
What is Financial Data?







SSN# and DOB
Address
Mother’s Maiden name
Credit / Debit card and Account numbers
User Name and Passwords
Drivers license or identification numbers
Check Information
How is Data Compromised?
POS / ATM Skimming
How is Data Compromised?
POS / ATM Skimming
How is Data Compromised?
Data Breach - Headlines
TJX - Between 47 and 200 Million Cards
Compromised
• Weak encryption on TJX’s wireless network
allowed the theft of card information.
26.5 Million Veteran’s personal records
exposed
• An employee’s computer was stolen containing
unencrypted information on 26.5 million
people. The information included names, social
security numbers, date of birth and other
personally identifiable information
How is Data Compromised?
Internet Usage
• Viruses, Malware & Keyloggers
• Man in the Middle
• Man in the browser
• Social Networking


Games
Video link
The Reality of Computer Security


22.7 million computers scanned
48.35% compromised
A micro study of 10,000 computers
• 55% of computers equipped with up to
date antivirus and security software, were
not able to detect and remove the Zeus
virus
• 14% had antivirus that was not up to date
• 31% did not have antivirus at all
Source: APWG Q3, 2009 Report
How is Data Compromised?
Email and Phone
• Phishing / Vishing
• Data Leakage
• Clicking on links in text messages or
email
• Nigerian fraud / money mules
What do they do with it?




Account Take Over
Check Fraud
Credit / Debit Fraud
Identity Theft
• Take out loans
• Open deposit accounts
• Apply for credit cards
Account Takeover





Fraudster hacks into your PC
Downloads malware such as a keylogger
to gain your online log on credentials
Logs on with complete access to your
account information and features
Sets up a new payee and initiates a
transfer of funds via ACH or Wire
The money is sent to the money mule and
is then emptied and abandoned
Online banking “just makes life
simpler”
Internet Usage in 2010 was 36%
Internet Usage in 2011 was 62%
Your Bank’s Security Obligations


Gramm Leach Bliley
Act “GLBA”
(Customer) 1999
FFIEC Internet
Authentication
Guidance
2005 & 2011

MA 201 CMR 17.00
Mass Residents - 2010
Minimum Standards of Protection
GLBA & MA 201 CMR 17











Anti Virus Software
Anti Spam Software
Patching
Software Upgrades
Penetration Testing
Vulnerability Testing
Auditing
Firewalls
Web Filters
Annual Training
Vendor Management









Secured Storage
Password
Requirements
Encryption
Policies & Procedures
Provide Encrypted
Removable Media
Computer Logs
Document shredding
Secured trash disposal
Secure Email
FFIEC Internet Authentication Guidance

Current Security
• Reverse Phishing
• Multi Factor Authentication (device ID - cookie)
• Challenge Questions at Log In

New security
• Complex Device Identification
• Complex Challenge Questions
• Layered security for high risk transactions


Detect and respond to anomalous/suspicious
activity at log in and transaction level
Out of band authentication
• Dual Control, Isolated PC for Online Banking
What makes us the weakest link?
Convenience
Security
There is an inverse
relationship between
convenience (ease-ofuse) and security.
As you increase
security, you lose
convenience.
What Makes Us the Weakest Link?

Easily guessed passwords
• Too short, too simple, common words

Not keeping secrets
• Writing passwords down, sending
confidential data in e-mails

Trusting things we get from others
• Opening email attachments, clicking on
links
Social Engineering
Is the art of
manipulating
people into
performing
actions or
divulging
confidential
information
What do you have that they want?






Money
Customer Information
Employee Information
Business Information
Access to Systems
Why do they want access to
Systems?
Social Networking Danger

http://www.youtube.com/watch?v=A
SV25lLoROg&feature=related
Social Networking Danger
Phone profile and friend request (phishing attempt)







43%
72%
84%
87%
78%
23%
26%
accepted the friend request
gave email address
gave full DOB
gave details about workplace or education
listed current address or location
listed current phone number
provided their IM screen name
In most cases, access to photos, likes, dislikes, hobbies, employer
detail and other personal information was also accessed.
Source: Sophos YouTube video – Identity theft made easy
The Risk of Convenience

Analysis of 32 million passwords stolen
• 20% or 6.4 million used only 5000 different
passwords!
#1 123456 (used 290,731 times)
#2 12345
#3 123456789
#4 password
#5 iloveyou
Source: Imperva
Strong Passwords
Long passwords, mixing letters, numbers,
and symbols are tough to crack. Best
passwords are memorable but hard to
type!
• 8 Characters long
• Contains Upper and Lower case letters
• Contain at least one number or special
character
• Is not a dictionary word in any language
• Cannot be easily guessed
• Changed every 90 days
• Don’t tell anyone your password
• Don’t write your password down anywhere
Mnemonics Made Easy


“Water, water everywhere and not a
drop to drink” (Rhyme of the Ancient
Mariner) converts to Wwe&nadtd.
“We Three Kings from Orient Are”
converts to w3KfOr3691.
Strong Passwords

http://www.youtube.com/watch?v=a
p6QnMv0fBo&feature=related
Security Measures







Review accounts frequently
Be suspicious of emails and links
Sign up for alerts
Never register a foreign computer
Note the https
Note the banks web address
Save any shortcuts under a fake
name
Online Banking Security

http://www.youtube.com/watch?v=
mWNEoBIxhSs
Identity Theft Red Flags




You order new checks or a debit card
and never receive them
You see unauthorized activity on
your account or credit report
You receive a change of address
notice from your bank
You begin to receive calls for debt
collection
Additional Security Measures





Guard SSN, DOB, Mother’s Maiden Name
Guard your mailbox
Sign up for electronic statements
Take your receipts (ATM, Debit, Credit)
Order your credit report annually
• Equifax, Experian, TransUnion
• www.annualcreditreport.com

Shred, Shred, Shred
Identify Theft Prevention

http://www.youtube.com/watch?v=H
35DASgwPZc&feature=related
Online Security
Convenience
Security
There is an inverse
relationship between
convenience (ease-ofuse) and security.
As you increase
security, you lose
convenience.
In order to WIN, we need
to be perfect. For the
malicious party to win,
they need only to exploit
one mistake.
Resources

Identify Theft information – ESB
• http://www.bankesb-idtheft.com/home.htm

Fraud Advisory for Businesses: Corporate Account Take
Over (FBI, USSS, IC3, FS-SIAC)
• http://www.ic3.gov/media/2010/corporateaccounttakeover.pdf

Fighting back against Identify Theft (FTC)
• http://www.ftc.gov/bcp/edu/microsites/idtheft/

FBI Scams and Safety
• http://www.fbi.gov/scams-safety/

Better Business Bureau –Data Security made simpler
• http://www.bbb.org/data-security/Data-Security-MadeSimpler.pdf

Onguard Online – Consumer protection (FTC)
• http://onguardonline.gov/

Bureau of Consumer Protection – Business

http://business.ftc.gov/
Download