Securing Internet Payment Systems

Domenico Catalano Principal Sales Consultant

This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

Agenda

•  Trends in online Payments

•  Cybercrime

•  ECB & Security Measures

•  Oracle Approach

•  Layered Access Security

•  Oracle Experience – BT MFR use case

•  Q&A

Trends in online Payments

Payments through the Internet

•  Making a remote payment card transaction through the Internet •  Online-banking based credit transfer or direct debits •  Payments through e-payment providers

Towards an integrated European market for card, internet and mobile payments

2009141 Million

online shoppers

2014190 Million

Source: Forrester Research

online shoppers

EUR 483 per capita EUR 601 per capita

Cybercrime Threat to the Financial Sector

Account Takeovers

Third Party Payment Processor Breaches

Securities and Market Trading Exploitation

ATM Skimming and Point of Sale Schemes

Mobile Banking Exploitation

Insider Access

Supply Chain Infiltration

Telecommunication Network Disruption

Compromised records by industry group Source: Verizon – 2011 Data Breach Investigation FBI — Cyber Security: Threats to the Financial Sector

Security Measures

ECB Recommendation Security of Internet Payments

• General control and security environment.

• Specific control and security measures for Internet Payments.

• Customer awareness, education and communication.

Recommendations for the Security of Internet Payments - ECB

Merchant's Web SiteHolder

AcquirerIssuer

Purchase

Payment

Authorization

ECB Recommendation Specific control and security Measures for Internet Payments

•  Initial customer identification, information •  Strong customer authentication •  Enrolment for and provision of strong authentication tools •  Log-in attempts, session time-out, validity of authentication •  Transaction monitoring and authorization •  Protection of sensitive payment data

Recommendations for the Security of Internet Payments - ECB

Oracle Approach

Oracle Approach General Control and Security Environment

The Identity Platform

Comprehensive Database Security

Layered Access Security

Evolution of Web Access Security

Single Sign On

Multi-factor Authentication

Role Based Access Control

Layered Access Security

PSPs with no or only weak authentication procedures cannot, in the event of a disputed transaction, provide proof that the customer has authorised the transaction.” – ECB, Recommendation for the Security of Internet Payments

“

Oracle Adaptive Access Manager Trust, But Verify

Protected Resources

Password Device Location Data Sources

John Smith Verify ID

Security Layers

Authentication is valid but is this really John Smith? Is anything suspicious about John’s access request? Can John answer a challenge if the risk is high?

Context-Aware Risk Analysis

•  Dynamic behavioral profiling in real-time •  In the last month has Joe used this

device for less than 3% of his access requests?

•  In the last three months have less than 1% of all users accessed from the country?

•  Specific scenarios that always equate to risk

•  If a device appears to be traveling faster the jet speed between logins the risk is increased.

•  Indicates probability a situation would occur

•  Is the probability less than 5% that an access request would have this combination of data values?

Predictive Analysis

Pattern Detection

Static Scenarios

ü  Analyzes risk in Real-Time

ü  Profiles Behaviors

ü  Recognizes Patterns

ü  Detects Anomalies

ü  Takes Preventative Actions

Risk-Based Identity Verification

Hacking for Fame

LOW

MED-LOW

HIGH

MED-HIGH

RESPONSE ALLOW DENY

If the risk is low: Do nothing

If the risk is medium: Ask a challenge

question

If the risk is high: Send a one-time

password to users mobile phone

If the risk is very high: Deny access and alert

the security team

RIS

K

Data Relationships

First Class Entities [ User, Device, IP, Etc. ]

SQL

Files

JMS

WS

Rule A [ If a purchase

originates from a country not matching

the country in the billing address then create an

alert. ]

Rule B [ If an item has been purchased more than twice in the last week from a single device, each using a different credit card then create

an alert. ]

Transaction Data [ Dollar Amount ] [ Item Quantities ] [ Item Numbers ] [ Coupon Code ]

[ Shipping Priority ]

Entity Instances

[ Shipping Address ]

[ Billing Address ]

[ Credit Card ]

HTTP Address [ Street Number ] [ Street Name ]

[ Apt. Number ] [ City ]

[ State ] [ ZIP Code ]

[ Country ] Credit Card [ First Name ] [ Last Name ]

[ Middle Initial ] [ Number ]

[ Security Code ] [ Expiration ]

Become Context Aware Prevent and Detect Anomalous Behavior

89%

Reducing Surface Area of Attacks

Preventable Breaches

Source: “Adaptive Access Management: An ROI Study” a commissioned study conducted by IDC on behalf of Oracle, 2010

ROI Payback period Total benefits Total costs Net benefits

106% 12.1 months $6,007,641 ($2,912,513) $3,095,129

Oracle Experience BT Managed Fraud Reduction

BT Managed Fraud Reduction (MFR)

•  BT MFR is an automated fraud screening service developed by BT based on Oracle technologies.

•  BT MFR assesses the risk of each e-Commerce transaction.

•  BT MFR makes a risk assessment based on the behavior of the user.

•  BT MFR is complementary to existing fraud checks performed as part of payment authorization.

•  BT MFR is a real time service.

BT MFR: Architecture and Extensibility

Payments Processor/Merchant

Oracle Service Bus

Payments Processor/Merchant

OAAM Fraud Rules

Engine

BTMA Strong

Authentication

URU ID Verification

CLI Calling Line Identification

Quova Location Detection

Ethoca Fraud

Intelligence

GB Group Business

Data

Optional Services Future Services

OSB determines call routing

Aggregated response

www.facebook.com/OracleIDM www.twitter.com/OracleIDM

blogs.oracle.com/OracleIDM

www.oracle.com/Identity