security a payments perspective terry dooley evp & cio shazam network
TRANSCRIPT
SecurityA Payments Perspective
Terry DooleyEVP & CIO
SHAZAM Network
Agenda
What’s Happening
What’s Changing
Payment Security Myths
Industry Protections
New Challenges
Emerging Risks
What’s Happening
What’s Happening
Phishing Vishing
SmishingData
Compromises
You don’t need to teach an old dog new tricks!
What’s Happening
You get the phone call, text, or email
Yes it still works!
New sunglasses Insurance payment Facebook virtual money Transactions submitted in seconds
What’s Happening
Data Theft Phishing Vishing
Smishing
Consumer provides card
or account data
Data feed to counterfeiters
real time
Initial test transactions
begin simultaneously
in different countries
Based on data compromised, target is most
likely card-not-present
Source Verizon 2014 Data Breach Investigations Report
What’s Happening
Most skimming occurred on ATMs and gas pumps due to how relatively easy they can be approached and tampered with. Nearly all victims are U.S. organizations.
Industries most commonly affected by POS intrusions are restaurants, hotels, grocery stores, and other brick-and-mortar retailers.
Most skimming occurred on ATMs and gas pumps due to how relatively easy they can be approached and tampered with.
While phishing numbers are slightly lower in 2013, 8 percent of users will click an attachment and fill out a web form.
Most are skeptical of clicking an attachment, but 18 percent will visit a link within a phishing email.
What’s Changing
What’s Changing
Payment credentials
compromised
Small dollar test transactions — slow
flowing, wanting the 3 digit code on the back
of the card
More significant purchases,
transactions escalate
Fraud Goals
High value Merchandise
ApproachLow velocity Validation
Compromise Phishing Smishing
Payment Security Myths
Payment Security MythsTe
chno
logy
Inve
stm
ent If I invest in the
latest security technology can I get rid of other security technologies?
Tech
nolo
gy In
tegr
ation I have a firewall, IDS,
IPS, logging servers, and a SEIM, do I just plug them in and they work?
Hum
an R
esou
rces
How many technologies can a security department manage, train, and become experts on? If I invest in this technology can I reduce the need to add more positions?
The Ripple Effect
Industry Protections
Industry Protections
Perimeter Defenses:
Neural Engines:
Data Protection:
Consumer Account Bank/Debit/Credit
WAPS
Malware Detection Document Inspection
SEIMS
Velocity
Geographic Device
Usability
EncryptionTokenization
Dual Control
New Challenges
New Challenges
Mobile devices
Cloud computing
and personal usage
exploding
Alternative payment apps
Intelligence vs. stupidity
Emerging Risks
Emerging Risks
Compromises are no longer about the immediate theft and use of the data
Thieves are installing key loggers, malware, and rats, among other items and letting them simmer for months before using
There’s not a single security approach or technology that’ll prevent or mitigate the value of stealing account and card data as long as transactions can occur without authentication
Emerging Risks
Silver Bullet?EMV
TokenizationLayered Defenses
NoNoNo
Fraudulent TransactionsEMV prevented?
Yes – counterfeitNo – Internet
Target BreachEMV prevented? No