DATA SECURITY: A Critical Factor in Cashless Economy

Oct 28, 2015

2

Pre-Cashless Era: Cash Everywhere

A cash-based economy is a system in which financial transactions are carried out in cash rather than electronic means such as direct debit, standing order, bank transfer, or credit card.

In 2011, it was estimated that 99% of over 215 million customer transactions in Nigerian banks were cash-related (i.e; through ATM and over-the-counter) and this was valued at about N2.1 trillion or 5% of GDP.

It is estimated that an average Nigerian transacts about N65 in cash out of every N100 income earned.

3

Introduction of Cashless Economy

The Nigeria‘s cashless policy took effect from April 1, 2012 in Lagos and later rolled out to other part of the Country.

This policy set a platform for an efficient payment system anchored on electronic – based transactions.

Mobile payment system introduced at the dawn of January 1, 2012 allows users to make payments with their GSM phones.

The Point of Sale (PoS) terminals were deployed by Banks, PTSPs and connected to the NIBSS for purposes of making payments.

The essence of the policy is to shift the economy from a cash-based economy to a cashless one.

4

Cashless Economy: The Channels

Reduce the over reliance on cash for transactions

5

- Business to Business (B2B)- Business to Consumer (B2C)- Consumer to Business (C2B)- Consumer to Consumer (C2C)- Government to Citizen (G2C)- Citizen to Government (C2G)- Exchange to Exchange (E2E)- Intra-business (Organization Unit to Organization Unit)

Types of Interaction in a cashless economy

6

The Nigeria Cashless Policy: Where we are

Across all payment channels in the financial industry; including electronic and non-electronic based platform, Nigeria has experienced a massive rise in the volume and value of transactions processed yearly.

Table 1 Total transaction volume and value processed by the NCS (Nigeria Central Switch)

In the year 2014, the Central Switch (NIBSS) alone processed over 100million transactions in terms of volume with a corresponding value of over NGN 40 Trillion (over USD 208 Billion). Furthermore,

The volume of transactions grew by over 50% between 2013 and 2014 with its value also growing by 28%.

Year End Volume Value

2013 74,059,575 34,191,968,951,140

2014 113,421,933 43,857,678,478,941

% Change 53% Increase 28% Increase

7

Cashless Policy: Any Benefit?

The process creates greater transparency and accountability, leading to greater efficiency and better economic performance

Consumer Corporation Government

Increased convenience

Faster access to capital

Increased tax collections

More service options

Reduced revenue leakage

Greater financial inclusion

Reduced risk of cash-related crimes

Reduced cash handling costs and risk

Increased economic development

Improved security

8

Nigeria Cashless Economy: The Challenges

Behavioural constraints Lack of confidence Low level of internet penetration Telecommunication issues Lack of suitable legal framework Required Huge Investments Reliable Communication Networks High rates of illiteracy Frequent power interruption More internal threats Prevalent social engineering attacks Identification issue Security Greater magnitude and impact of fraud

Cashless policy, despites its numerous benefits comes with its own challenges even in the developed world.

9

E-Payment Space: The Security Challenge

Weapons of mass infection

In the last several years, we’ve seen a disturbing trend…Attackers are innovating much faster than defenders are.

10

11

Cashless Economy: The Security Issues

Online shopping, money transfers and online banking save us a lot of time and make our lives easier. However, these same technologies also make life easier for cybercriminals by offering them new, sophisticated and easy ways to steal personal data.

Using stolen payment data is an effective and popular way of making a quick money.

Although banks try to protect their customers, attacks against individual users are still quite common. Hacking a bank is more time-consuming and expensive and the risk of being caught is higher.

By contrast, many individual customers use computers with numerous vulnerabilities, which are easier to compromise.

By stealing a relatively small amount from each hijacked online banking account, a cybercriminal has a good chance of going undetected.

12

Fraud Landscape 2014 Report

Taking polls from our last two years fraud data, there was a significant rise of up to 78% in the volume of fraudulent cases in 2014. Although the value of the attempted fraudulent transactions reduced, there was a huge increase in the moneys that were actually lost to fraudsters. Further analysis showed that the percentage of Actual Loss Value as against Attempted Fraud value increased by up to 77% from 3% to 80% within one calendar year. This helps to emphasize the need for more security measures in handling payment cards as individuals, and improved security practices as corporate bodies to help minimize fraud rates.

Total fraud trend in terms of percentage change between 2013 and 2014

Year End Fraud Volume

Attempted Fraud Value

Actual Loss Value

% Actual Loss Value in Attempted Fraud Value

2013 855 19,148,787,069 485,194,350 3%

2014 1,461 7,750,152,748 6,215,987,323 80%

% Change 78% -60% 1181% 77%

13

The money is now in e-Channels….

Reporter Mitch Ohnstad : Why do you rob banks?

Willie Sutton (Famous robber): “Because that's where the money is."

14

In 40 years Willie Sutton stole $2 million dollars

In one day, Rodriguez stole $45 million dollars

In 40 years Willie Sutton was able to steal only in one country

In one day, Rodriguez stole in 27 countries AT THE SAME TIME

Willie Sutton had to be present where ever he was stealing

Rodriguez doesn’t need to be present where ever he was stealing

Willie Sutton used guns and masks

Rodriguez uses Laptop and Internet

Then… … Now

If Sutton were living today, he might have made the career move to hacker!!.

15

Data security refers to protective measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption. Data security is the main priority for organizations of every size and genre.

Data security is a key concern to the financial sector, being that a lot of customer’s data are processed and held.

Data Security

16

Consumers’ fears about data loss affect their willingness to use new service delivery channels; almost one in three internet users say they do not bank online because of concerns about security.

Some firms regard data security as the sole responsibility of IT staff, whose responsibilities include creating technical systems and controls to prevent data loss. While in the real sense of things data security is everybody's responsibility.

Data Security Facts

17

So it is in everyone’s interest to have a good awareness of data security and to establish effective controls to prevent their customer data from being used for financial crime

Data Security Facts Cont’d

18

“Whollup”: How did they get my personal data?

19

Cashless Economy: How do we secure consumer’s Personal Data, What should we be doing?

The financial industry manage the most sensitive, high-value information in the world. Our mandate is to protect it

20

Securing the Consumer’s Data

The Financial industry have always made frantic effort to improve data security across all channels within the e-Payment space.

Security Standards are implemented to ensure service providers that “store”, “process” or “transmit” customer payment data adhere strictly to information security controls and processes that ensure data protection.

Players across the payments processing chain must enhance payment data security globally, while embracing new technologies as they are developed.

In an era of increasingly sophisticated attacks on systems, adhering to the global Security Standards is the best protection against network security threats and data breaches.

21

Data Security: Policies and Standards (PCI, ISO, NIST..)

To help prevent the theft of card data and protect cardholder data, the five founding global payment brands, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. launched the PCI Security Standards Council in 2006. PCI-DSS stands for Payment Card Industry (PCI) Data Security Standard (DSS).

It is the technical requirements of each of the data security compliance programs intended to ensure that every card processing procedures meet certain security requirements.

The PCI-DSS applies to all organizations that store, process or transmit cardholder data. EVERY business that accepts debit or credit card processing payments and stores, processes or transmits payment card data MUST MEET the PCI-DSS.

With the rising incidence of security compromises, it is more important than ever to protect consumer data

22

PCI DSS: Building Fence around Cardholder Data

The following requirements comprise the PCI Data Security Standards:

Install and maintain a firewall configuration to protect Cardholder dataDo not use vendor-supplied defaults for system passwords and other security parametersProtect stored cardholder dataEncrypt transmission of customer’s data across the networksUse and regularly update anti-virus software or programDevelop and maintain secure systems and applicationsRestrict access to cardholder data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder dataRegularly test security systems and processesMaintain a policy that addresses information security for all Personnel

Protecting Cardholder Data is the business of every businesses

23

Customer Data protection: the Banks Perspective

Banks and payment platforms be actively protecting their users with the use of: Sophisticated multi-factor authentication The use of additional devices such as tokens to authenticate transactions Various warnings of possible fraudImplementation of short codesSetup of fraud desk and dedicated phone linesThe industry should be ensuring a 360-degree protection on the client side, securing user’s computer, communication channel and ensuring it connects to the right server.

As attacks targeting corporate online banking applications grow more sophisticated, financial institutions need to strengthen their defenses.

24

Encryption of Data (In Transit & At Rest)

Once employed only for the most sensitive government secrets, encryption is today a common practice with strategic importance for businesses of all types.

Financial institutions, retailers, healthcare providers, and others must protect customer information and are often bound by data breach disclosure laws. All types of businesses must keep private their diverse information about employees, customers, business operations, and intellectual property.

Given that failure to protect confidential information may be not only embarrassing but also illegal, it’s easy to see why encryption is a core component in a broad data protection and IT security strategy.

Encryption transforms data into an unusable form, reducing the risk in the case of unauthorized access.

25

Strong Authentication to secure today’s consumers

One critical pillar in any security system is authentication—the process of verifying the identity of users, applications, or devices before giving them access to sensitive data or systems. Today’s authentication schemes range from a simple user ID and password to multi-factor approaches that include smart cards, PINs, mobile devices, and biometrics. The reason for this variety in authentication approaches is simple—applications require different degrees of assurance that users are who they claim to be.

Financial institution should install Security Modules (HSMs, SSMs) to your current authentication processes, you can create high-assurance systems to authenticate users paying for products and services through web sites and mobile devices, employees using internal systems, and a variety of connected devices accessing the network.

Financial institution must supports encrypted passwords, EMV authentication, smart cards, PKI based digital certificates, a wide range of one-time password (OTP) tokens, and SMS or mobile text based authentication.

26

Data Security: Organizations and Its Roles

Educate employee on security threats and best practices for protecting consumers data.  

Pre-employment screening Ensure your business has a firewall, anti-virus, malware and spyware detection

software. And don’t forget to regularly update the software. Ensure tight measures and control on downloads, software installations, use of

flash drives and public Wi-Fi connections on computers used for payment card processing.

Ensure dedicated and separate servers/networks for the processing of online financial transactions. 

Change your passwords regularly Ensure regularly back up your computers and the key data you want to protect.

27

E-Fraud: The Industry effort

Education and Sensitization of the general public Establishment of Industry Fraud Desk(s) Regulatory and oversight functions by CBN Investment in huge infrastructure by major DMBs, Switches and Processors Introduction of Biometric Verification Number (BVN) Collaboration among key stakeholders Successful signing of the CyberCrime 2015 Act.

28

http://map.norsecorp.com/v1/ ALL

https://www.fireeye.com/cyber-map/threat-map.html new attacks

If we do not implement Data security, we would fall prey to frauds.

If we fall prey to frauds, people would loose confidence in electronic payments.

If electronic payment fails, Cashless Economy fails.

If cashless economy fails, we lost all the gains we have made in recent times.

DATA SECURITY IS A MUST!

Final Thoughts

29

Nigeria Inter-Bank Settlement System Plc

… Improving the Nigeria Payments System

1230b Ahmadu Bello Way Victoria Island,

Lagos, Nigeria

Tel: +234 1 2716071-4

www.nibss-plc.com

THANK YOU

Olufemi Fadairoofadairo@nibss-plc.com.ng

08025624929