For Payments, the Best Offense

idleheadedceleryΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

53 εμφανίσεις

For Payments, the Best Offense

is a Multi
-
Tiered Security and

Policy
-
Based Defense



Dan Miner, CTP


General Manager, Treasury Services,


3Delta Systems


Friday, June 8, 2012

10:10


11:00 AM

Plaza B

LEGAL DISCLAIMER


Nothing we discuss today constitutes legal advice. For any specific
questions, seek the independent advice of your attorney. Furthermore,
lorem

duis

autem

vel

eum

iriure

dolor in
hendrerit

in
vulputate

velit

esse

molestie

on
sequat
,
vel

illum

dolore

eu

feugiat

nulla

facilisis

at
vero

eros

lorem

ipsum
.
Lorem

duis

autem

vel

eum

iriure

dolor in
hendrerit

in
vulputate

velit

esse

molestie

on
sequat
,
vel

illum

dolore

eu

feugiat

nulla

facilisis

at
vero

eros

lorem

ipsumautem

vel

eum

iriure

dolor in
hendrerit

in
vulputate

velit

esse

molestie

on
sequat
,
vel

illum

dolore

eu

feugiat

nulla

facilisis

at
vero

eros

lorem

ipsum
.
Lorem

duis

autem

vel

eum

iriure

dolor in
hendrerit

in
vulputate

velit

esse

molestie

on
sequat
,
vel

illum

dolore

eu

feugiat

nulla

facilisis

at
vero

eros

lorem

ipsum
.
Lorem

duis

autem

vel

eum

iriure

dolor in
hendrerit

in
vulputate

velit

esse

molestie

on
sequat
,
vel

illum

dolore

eu

feugiat

nulla



Consumerization of the Workspace

Data: anywhere, anytime on any device


Devices

»
Tablet PCs

»
Smart phones

»
Home systems used to access work assets


BYOD

»
Angry Birds, anyone? Fun. Harmless (probably…)

»
How about “
DroidDream
”?


Social Media

»
Used as a recon base for phishers


The Fine and Ancient Art of Phishing

I don’t think I bought this….

Oh, NO! My Google
Adwords


have stopped working.


Better get right on that!

And, Now I Am Getting Sued

(by illiterates).

Trough?

And, I can’t even get paid…

From:
payments@nacha.org [mailto:payments@nacha.org]

Sent:

Tuesday, February 22, 2011 7:32 AM

To:

Doe, John

Subject:

ACH transaction rejected


The ACH transaction, recently sent from your checking account (by you or any
other person), was cancelled by the Electronic Payments Association.


Please
click here

to view report

------------------------------------------------------------------


Otto Tobin,

Risk Manager

= = = = = = = = = = = = = = = = = = =




Compromises A
t All
-
Time High


More breaches, less stolen data?

»
Number of breaches almost doubled since 2010
Verizon Data Breach Report

»
However, record loss decreases

»
361 million >> 144 million >> 4 million



Verizon 2011 Data Breach Investigations Report

Compromises A
t All
-
Time High


It appears that cybercriminals are currently satisfied with
compromising Point
-
of
-
Sale (POS) systems and performing account
takeovers and Automated Clearing House (ACH) transaction fraud
.


There has been an increase in these areas in 2010. In relation to prior
years, it appeared that there were more data breaches in 2010, but
the compromised data decreased due to the size of the compromised
company’s databases.


This shows willingness in the cybercriminal underground to go after
the smaller, easier targets that provide them with a smaller yet steady
stream of compromised data.


Verizon 2011 Data Breach Investigations Report

Compromises A
t All
-
Time High


There’s been a noticeable increase in account takeovers.


This can be directly
related to the continued rise of the Zeus Trojan
and other malware variants created to capture login credentials to
financial websites.


These account takeovers result in fraudulent transfers from the
victim’s account to an account under the control of the perpetrator.

Verizon 2011 Data Breach Investigations Report

Increased Scrutiny and Liability

Data Collection/Use


Explosion in use of mobile phones and apps
has led to increased scrutiny of
how providers and application developers are collecting, using and sharing
mobile data.


WSJ articles and high
-
profile breaches
spawned a series of congressional
inquiries and hearings regarding companies’ data collection, use and sharing
practices.

»
August 2010


Congress asked 15 companies re: online behavioral tracking

»
October 2010


Congress asked Facebook re: sending user identifiers to app
developers

»
April 2011


Congress asked Apple re: location data on iPhones and
iPads

»
May 2011


Sen. Franken sent letters to Apple and Google asking companies to
require all apps for Apple’s iOS and Google’s Android OS
have privacy policies

Legislative and Regulatory Activity

Pending cybersecurity bills in last Congress numbered over 45…


and many (at least 42) already pending in the 112
th

Congress, including


Cybersecurity and Internet Freedom Act of 2011 (S.413)


S. 21
-

Cyber Security and American Cyber Competitiveness Act of 2011


S. 1151 Personal Data Privacy and Security Act of 2011


S. 1223 Location Privacy Protection Act of 2011


S. 1408 Data Breach Notification Act of 2011


S. _____ Cloud Computing Act of 2011


S. _____ Legislation on Securing the U.S. Electrical Grid


H.R. 174
-

Homeland Security Cyber and Physical Infrastructure Protection Act


H.R. 2096


Cybersecurity Enhancement Act of 2011


H.R. 2577


Secure and Fortify Electronic (SAFE) Data Act



Legislative and Regulatory Activity

Regulatory


OCC Guidance re application security (OCC 2008
-
16)


HIPAA Security Rule updates (NIST 800
-
66)


Proposed FTC Privacy Framework (December 1, 2010)


International: EU Cookie Law


FFIEC Guidance supplement to the
Authentication in an Internet
Banking Environment

guidance



Selected Litigation Example



Experi
-
metal v. Comerica (2011)
. Successful phishing attack
led to over $9MM in fraudulent transfers; lawsuit by
business against bank; judge rules for business stating
“[t]his
trier of fact is inclined to find that a
bank dealing
fairly with its customer, under these circumstances, would
have detected
and/or stopped
the fraudulent wire activity
earlier.



PCI DSS



Penalties for Non
-
Compliance


Failure to comply (or certify compliance) with the PCI DSS may
result in fines


Fines for non
-
compliance can be up to $5K
-

$10K per month


If you have a data breach and are not PCI
-
compliant, fines can be
as high as $500K (MasterCard®) or $750K (VISA®)

»
Merchants may also be responsible for any fraudulent charges
resulting from the breach and the costs of re
-
issuing any cards
compromised during the breach


In theory, you can be precluded from accepting credit/debit cards
if your compliance deficiencies are bad enough



FFIEC Guidance Summary


Not every online transaction poses the same level of risk.

»
Retail/Consumer Banking
: Since the frequency and dollar amounts
of these transactions are generally lower than commercial
transactions, they pose a comparatively lower level of risk.

»
Business/Commercial Banking
: Online business transactions
generally involve ACH file origination and frequent interbank wire
transfers. Since the frequency and dollar amounts of these
transactions are generally higher than consumer transactions, they
pose a comparatively increased level of risk to the institution and
its customer.

FFIEC Guidance Summary



Financial institutions should implement layered security,
utilizing controls consistent with the increased level of risk for
covered business transactions.


Recommend that institutions offer multifactor authentication
to their business customers.

FFIEC Layered Defense Suggestions


Technical Countermeasures Emphasize


Enhanced Authentication



Dual customer authorization through different access devices


Out
-
of
-
band verification for transactions


"Positive pay," debit blocks, and other techniques to
appropriately limit the transactional use of the account


Internet protocol [IP] reputation
-
based tools to block
connection to banking servers from IP addresses known or
suspected to be associated with fraudulent activities



FFIEC Layered Defense Suggestions

Policy/Activity
-
Based Countermeasures
Emphasize Usage Management



Fraud detection and monitoring systems that include
consideration of customer history and behavior and enable a
timely and effective institution response


Enhanced controls over account activities, such as transaction
value thresholds, payment recipients, number of transactions
allowed per day and allowable payment windows [e.g., days
and times]


FFIEC Layered Defense Suggestions

Policy/Activity
-
Based Countermeasures
Emphasize Usage Management (
con’t
.)



Policies and practices for addressing customer devices identified as
potentially compromised and customers who may be facilitating
fraud


Enhanced control over changes to account maintenance activities
performed by customers either online or through customer service
channels


Enhanced customer education to increase awareness of the fraud
risk and effective techniques customers can use to mitigate the risk


Layered Security Model


Begin with the assumption your client’s systems are
compromised.

»
Can you do business?


Contemporary systems are being developed to robustly and
repeatedly answer:

»
Who are you? (Authentication)

»
Where can you go in the system? (Authorization)

»
What can you see when you get there? (Authorization)

»
What can you do when you get there? (Authorization)

Layered Security Model


And allow these rights and permissions to be assigned at
various levels through the organization with vigorous
logging and auditing capability (Accounting)

Layered Security Model:

Data Tokenization


Investigate new methods of reducing risk such as data
tokenization as means of removing the valuable and risky data
from systems

»
Valuable data is replaced by value
-
less data: Credit card number
“4111 1111 2222 3333” is replaced by “PG43J74F” or otherwise
useless
-
to
-
the
-
criminal values

»
Tokenization reduces the scope of PCI efforts as the presence of
a “cardholder data environment” can be reduced or eliminated


Why do ants show up at a picnic? It’s where the food is.

Summary


Corporate risk management is really getting interesting

»
The number of devices and systems that directly or indirectly
access financial systems are exploding and innovation is
outstripping controls

»
Criminal malware is very good, very prevalent, and very hard to
detect

»
Account takeover cases are exploding


Summary (
con’t
.)


Legal and regulatory consequences and impacts on corporate
operations are numerous, complex and ambiguous. Rights
and responsibilities are still being defined.

»
Corporate as a consumer of banking / financial services

»
Corporate as the provider of systems to its customers


Layered security and control models emphasizing multiple
measures and countermeasures are the recommended
solution


Questions / Discussion

Presenter

Dan Miner, CTP

General Manager, Treasury Services

3Delta Systems, Inc.

Dan.Miner@3DSI.com

(w) 703.234.6016


www.3DSI.com