Download - Securing Internet Payment Systems
Securing Internet Payment Systems
Domenico Catalano Principal Sales Consultant
This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
Agenda
• Trends in online Payments
• Cybercrime
• ECB & Security Measures
• Oracle Approach
• Layered Access Security
• Oracle Experience – BT MFR use case
• Q&A
Trends in online Payments
Payments through the Internet
• Making a remote payment card transaction through the Internet • Online-banking based credit transfer or direct debits • Payments through e-payment providers
Towards an integrated European market for card, internet and mobile payments
2009141 Million
online shoppers
2014190 Million
Source: Forrester Research
online shoppers
EUR 483 per capita EUR 601 per capita
Cybercrime Threat to the Financial Sector
Account Takeovers
Third Party Payment Processor Breaches
Securities and Market Trading Exploitation
ATM Skimming and Point of Sale Schemes
Mobile Banking Exploitation
Insider Access
Supply Chain Infiltration
Telecommunication Network Disruption
Compromised records by industry group Source: Verizon – 2011 Data Breach Investigation FBI — Cyber Security: Threats to the Financial Sector
Security Measures
ECB Recommendation Security of Internet Payments
• General control and security environment.
• Specific control and security measures for Internet Payments.
• Customer awareness, education and communication.
Recommendations for the Security of Internet Payments - ECB
Merchant's Web SiteHolder
AcquirerIssuer
Purchase
Payment
Authorization
ECB Recommendation Specific control and security Measures for Internet Payments
• Initial customer identification, information • Strong customer authentication • Enrolment for and provision of strong authentication tools • Log-in attempts, session time-out, validity of authentication • Transaction monitoring and authorization • Protection of sensitive payment data
Recommendations for the Security of Internet Payments - ECB
Oracle Approach
Oracle Approach General Control and Security Environment
The Identity Platform
Comprehensive Database Security
Layered Access Security
Evolution of Web Access Security
Single Sign On
Multi-factor Authentication
Role Based Access Control
Layered Access Security
PSPs with no or only weak authentication procedures cannot, in the event of a disputed transaction, provide proof that the customer has authorised the transaction.” – ECB, Recommendation for the Security of Internet Payments
“
Oracle Adaptive Access Manager Trust, But Verify
Protected Resources
Password Device Location Data Sources
John Smith Verify ID
Security Layers
Authentication is valid but is this really John Smith? Is anything suspicious about John’s access request? Can John answer a challenge if the risk is high?
Context-Aware Risk Analysis
• Dynamic behavioral profiling in real-time • In the last month has Joe used this
device for less than 3% of his access requests?
• In the last three months have less than 1% of all users accessed from the country?
• Specific scenarios that always equate to risk
• If a device appears to be traveling faster the jet speed between logins the risk is increased.
• Indicates probability a situation would occur
• Is the probability less than 5% that an access request would have this combination of data values?
Predictive Analysis
Pattern Detection
Static Scenarios
ü Analyzes risk in Real-Time
ü Profiles Behaviors
ü Recognizes Patterns
ü Detects Anomalies
ü Takes Preventative Actions
Risk-Based Identity Verification
Hacking for Fame
LOW
MED-LOW
HIGH
MED-HIGH
RESPONSE ALLOW DENY
If the risk is low: Do nothing
If the risk is medium: Ask a challenge
question
If the risk is high: Send a one-time
password to users mobile phone
If the risk is very high: Deny access and alert
the security team
RIS
K
Data Relationships
First Class Entities [ User, Device, IP, Etc. ]
SQL
Files
JMS
WS
Rule A [ If a purchase
originates from a country not matching
the country in the billing address then create an
alert. ]
Rule B [ If an item has been purchased more than twice in the last week from a single device, each using a different credit card then create
an alert. ]
Transaction Data [ Dollar Amount ] [ Item Quantities ] [ Item Numbers ] [ Coupon Code ]
[ Shipping Priority ]
Entity Instances
[ Shipping Address ]
[ Billing Address ]
[ Credit Card ]
HTTP Address [ Street Number ] [ Street Name ]
[ Apt. Number ] [ City ]
[ State ] [ ZIP Code ]
[ Country ] Credit Card [ First Name ] [ Last Name ]
[ Middle Initial ] [ Number ]
[ Security Code ] [ Expiration ]
Become Context Aware Prevent and Detect Anomalous Behavior
89%
Reducing Surface Area of Attacks
Preventable Breaches
Source: “Adaptive Access Management: An ROI Study” a commissioned study conducted by IDC on behalf of Oracle, 2010
ROI Payback period Total benefits Total costs Net benefits
106% 12.1 months $6,007,641 ($2,912,513) $3,095,129
Oracle Experience BT Managed Fraud Reduction
BT Managed Fraud Reduction (MFR)
• BT MFR is an automated fraud screening service developed by BT based on Oracle technologies.
• BT MFR assesses the risk of each e-Commerce transaction.
• BT MFR makes a risk assessment based on the behavior of the user.
• BT MFR is complementary to existing fraud checks performed as part of payment authorization.
• BT MFR is a real time service.
BT MFR: Architecture and Extensibility
Payments Processor/Merchant
Oracle Service Bus
Payments Processor/Merchant
OAAM Fraud Rules
Engine
BTMA Strong
Authentication
URU ID Verification
CLI Calling Line Identification
Quova Location Detection
Ethoca Fraud
Intelligence
GB Group Business
Data
Optional Services Future Services
OSB determines call routing
Aggregated response
www.facebook.com/OracleIDM www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
www.oracle.com/Identity