For Payments, the Best Offense is a Multi-Tiered Security and

Policy-Based Defense

Dan Miner, CTP – General Manager, Treasury Services, 3Delta Systems

Friday, June 8, 201210:10 – 11:00 AMPlaza B

LEGAL DISCLAIMER

Nothing we discuss today constitutes legal advice. For any specific questions, seek the independent advice of your attorney. Furthermore, lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsumautem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla…

Consumerization of the WorkspaceData: anywhere, anytime on any device

Devices» Tablet PCs» Smart phones» Home systems used to access work assets

BYOD» Angry Birds, anyone? Fun. Harmless (probably…)» How about “DroidDream”?

Social Media» Used as a recon base for phishers

The Fine and Ancient Art of Phishing

I don’t think I bought this….

Oh, NO! My Google Adwords have stopped working.

Better get right on that!

And, Now I Am Getting Sued (by illiterates).

Trough?

And, I can’t even get paid…

From:payments@nacha.org [mailto:payments@nacha.org]Sent: Tuesday, February 22, 2011 7:32 AMTo: Doe, JohnSubject: ACH transaction rejected

The ACH transaction, recently sent from your checking account (by you or any other person), was cancelled by the Electronic Payments Association.

Please click here to view report------------------------------------------------------------------

Otto Tobin,Risk Manager= = = = = = = = = = = = = = = = = = =

Compromises At All-Time High

More breaches, less stolen data?

» Number of breaches almost doubled since 2010 Verizon Data Breach Report

» However, record loss decreases» 361 million >> 144 million >> 4 million

Verizon 2011 Data Breach Investigations Report

Compromises At All-Time High

It appears that cybercriminals are currently satisfied with compromising Point-of-Sale (POS) systems and performing account takeovers and Automated Clearing House (ACH) transaction fraud.

There has been an increase in these areas in 2010. In relation to prior years, it appeared that there were more data breaches in 2010, but the compromised data decreased due to the size of the compromised company’s databases.

This shows willingness in the cybercriminal underground to go after the smaller, easier targets that provide them with a smaller yet steady stream of compromised data.

Verizon 2011 Data Breach Investigations Report

Compromises At All-Time High

There’s been a noticeable increase in account takeovers.

This can be directly related to the continued rise of the Zeus Trojan and other malware variants created to capture login credentials to financial websites.

These account takeovers result in fraudulent transfers from the victim’s account to an account under the control of the perpetrator.

Verizon 2011 Data Breach Investigations Report

Increased Scrutiny and Liability Data Collection/Use

Explosion in use of mobile phones and apps has led to increased scrutiny of how providers and application developers are collecting, using and sharing mobile data.

WSJ articles and high-profile breaches spawned a series of congressional inquiries and hearings regarding companies’ data collection, use and sharing practices.» August 2010 – Congress asked 15 companies re: online behavioral tracking» October 2010 – Congress asked Facebook re: sending user identifiers to app

developers» April 2011 – Congress asked Apple re: location data on iPhones and iPads» May 2011 – Sen. Franken sent letters to Apple and Google asking companies to

require all apps for Apple’s iOS and Google’s Android OS have privacy policies

Legislative and Regulatory Activity

Pending cybersecurity bills in last Congress numbered over 45… and many (at least 42) already pending in the 112th Congress, including

Cybersecurity and Internet Freedom Act of 2011 (S.413) S. 21 - Cyber Security and American Cyber Competitiveness Act of 2011 S. 1151 Personal Data Privacy and Security Act of 2011 S. 1223 Location Privacy Protection Act of 2011 S. 1408 Data Breach Notification Act of 2011 S. _____ Cloud Computing Act of 2011 S. _____ Legislation on Securing the U.S. Electrical Grid H.R. 174 - Homeland Security Cyber and Physical Infrastructure Protection

Act H.R. 2096 – Cybersecurity Enhancement Act of 2011 H.R. 2577 – Secure and Fortify Electronic (SAFE) Data Act

Legislative and Regulatory Activity

Regulatory OCC Guidance re application security (OCC 2008-16) HIPAA Security Rule updates (NIST 800-66) Proposed FTC Privacy Framework (December 1, 2010) International: EU Cookie Law FFIEC Guidance supplement to the Authentication in an Internet

Banking Environment guidance

Selected Litigation Example

Experi-metal v. Comerica (2011). Successful phishing attack led to over $9MM in fraudulent transfers; lawsuit by business against bank; judge rules for business stating “[t]his trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.

PCI DSS – Penalties for Non-Compliance

Failure to comply (or certify compliance) with the PCI DSS may result in fines

Fines for non-compliance can be up to $5K - $10K per month

If you have a data breach and are not PCI-compliant, fines can be as high as $500K (MasterCard®) or $750K (VISA®)» Merchants may also be responsible for any fraudulent charges

resulting from the breach and the costs of re-issuing any cards compromised during the breach

In theory, you can be precluded from accepting credit/debit cards if your compliance deficiencies are bad enough

FFIEC Guidance Summary

Not every online transaction poses the same level of risk.

» Retail/Consumer Banking: Since the frequency and dollar amounts of these transactions are generally lower than commercial transactions, they pose a comparatively lower level of risk.

» Business/Commercial Banking: Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer.

FFIEC Guidance Summary

Financial institutions should implement layered security, utilizing controls consistent with the increased level of risk for covered business transactions.

Recommend that institutions offer multifactor authentication to their business customers.

FFIEC Layered Defense Suggestions

Technical Countermeasures Emphasize Enhanced Authentication

Dual customer authorization through different access devices

Out-of-band verification for transactions

"Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the account

Internet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities

FFIEC Layered Defense Suggestions

Policy/Activity-Based Countermeasures Emphasize Usage Management

Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response

Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day and allowable payment windows [e.g., days and times]

FFIEC Layered Defense Suggestions

Policy/Activity-Based Countermeasures Emphasize Usage Management (con’t.)

Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud

Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels

Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk

Layered Security Model

Begin with the assumption your client’s systems are compromised.» Can you do business?

Contemporary systems are being developed to robustly and repeatedly answer:» Who are you? (Authentication)» Where can you go in the system? (Authorization)» What can you see when you get there? (Authorization)» What can you do when you get there? (Authorization)

Layered Security Model

And allow these rights and permissions to be assigned at various levels through the organization with vigorous logging and auditing capability (Accounting)

Layered Security Model:Data Tokenization

Investigate new methods of reducing risk such as data tokenization as means of removing the valuable and risky data from systems

» Valuable data is replaced by value-less data: Credit card number “4111 1111 2222 3333” is replaced by “PG43J74F” or otherwise useless-to-the-criminal values

» Tokenization reduces the scope of PCI efforts as the presence of a “cardholder data environment” can be reduced or eliminated

Why do ants show up at a picnic? It’s where the food is.

Summary

Corporate risk management is really getting interesting

» The number of devices and systems that directly or indirectly access financial systems are exploding and innovation is outstripping controls

» Criminal malware is very good, very prevalent, and very hard to detect

» Account takeover cases are exploding

Summary (con’t.)

Legal and regulatory consequences and impacts on corporate operations are numerous, complex and ambiguous. Rights and responsibilities are still being defined.

» Corporate as a consumer of banking / financial services

» Corporate as the provider of systems to its customers

Layered security and control models emphasizing multiple measures and countermeasures are the recommended solution

Questions / Discussion

Presenter

Dan Miner, CTPGeneral Manager, Treasury Services

3Delta Systems, Inc.Dan.Miner@3DSI.com

(w) 703.234.6016

www.3DSI.com