1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.

Transcription

1 Part 1: Internal & External Data Breach Vulnerabilities Presented on: Thursday, February 12, 2 3 ET Co presented by: Ann Davidson VP of Risk Consulting at Allied Solutions Joe Majka CSO at Verifone 1 Breakdown of Today s Session 1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches. 2. Discuss increasingly dangerous types of internal data breaches and security threats for financial institutions. 3. Discuss types external data breaches and security threats, and highlight the prevalence of these threats in the past, present, and future. 4. Share key strategies and solutions to help evaluate, minimize, and manage the risk of exposure to internal and external data breaches. 5. Open up the meeting for Q&A. 2 1

2 The Word on the Street About Breaches 3 What Are You Hearing? Has your financial institution been impacting by a data breach? What is your financial institution experiencing or hearing as it relates to risk exposures and fraud? 4 2

3 What Are WE Hearing? Phishing attacks Social engineering Theft of an individual s identifiable information Cyber liability risk internal breach Identity theft impacting account takeover and loan fraud Electronic transaction fraud impacting payments, cards, wires, and ACH 5 Top Internal Data Breaches and Security Threats for Financial Institutions 6 3

4 Data Breach Vulnerabilities Phishing Change default credentials SQL injection* Brute force attack Key logger/spyware Malware (backdoor-command-control)* Hacking Physical tampering Employee Manipulation 7 High Level Data Breach Process Victim..It could be you! Culprit. Most attacks are perpetrated by external players, as opposed to internal employees. Focus Attackers are mainly going for payment and financial institution data, which they can quickly convert into cash. Attack Hacking and malware are the most popular methods. Speed.. Attackers are faster at breaching systems. 8 4

5 How Hackers Break In Search for the weakest link Operational disruptions due to denial of service attacks or lost/stolen data Severity of the threat The speed and threat of the hack is complex Most of the time hard to identify 9 Data Breach Vulnerabilities What the bad guys are up to? Skimming data System Intrusion Point-of-sale Third-party vendor Note: Magnetic stripe track 1 data carries the cardholder name vs track 2 is identical card data except for the cardholder name. What they are leaving with?... Personal and financial information. What is their end game?... Money! 10 5

6 Top External Data Breaches and Security Threats for Financial Institutions 11 Past External Data Breach Trends 2000: Criminals target ecommerce merchants 2004: Stored magnetic-stripe data targeted 2005 to present: Memory scrapping malware (RAMscrappers); targeted phishing; social engineering 12 6

7 The Godfathers of Cyber Crime Roman Vega aka Boa BoaFactory and CarderPlanet Still in Federal custody Dmitri Ivanovich Golubov aka script CarderPlanet Arrested in Ukraine and released Elected to Parliament in Ukraine Albert Gonzalez aka soupnazi ShadowCrew Over 170 million stolen card numbers sold Sentenced to 20 years in federal prison 13 Major Targets for External Breaches U.S. companies Restaurants (#1) Other retailors (#2) Note: Large retailor breaches are reported in the news, but there are also hundreds of small merchant breaches that occur each year that do not make the news! 14 7

8 Current Attack Vectors Present day cyber attacks can be boiled down to the following main point-of-entries: Weak or default passwords Remote access: internal/third-parties Targeted phishing attacks Sequel injection attacks (SQL) Malware 15 External Security Threats BACKOFF POS Malware capabilities: Scraping memory for track data Logging keystrokes Command & Control (C2) communication Injecting malicious stub into explorer.exe Only costs $500 - $2,000 for cyber criminals to get their hands on this Malware! Note: It s key for merchants and financial institutions to maintain up to date antivirus programs as protections from new threats such as these are continually being added to anti-virus technology. * Source:

9 Current Cyber Attack Data 17 Future Threat Predictions Trending Cybersecurity Predictions for 2015 and beyond More cybercriminals will turn to darknets and exclusive-access forums to share / sell crime ware. Increased cyber activity translates to bigger and more successful hacking tools and attempts. Exploit kits will target Android as mobile vulnerabilities play a bigger role in device infection. We will see even more targeted attacks in the next few years. New mobile payment methods will introduce new threats. We will see more attempts to exploit vulnerabilities in open source applications Technological diversity will save Internet of Things devices from mass attacks, but the same won t be true for the data they process. 18 9

10 Mitigating Internal and External Breach Exposures 19 Card Issuer Prevention Strategies Early detection - card issuers are best positioned Rapid incident response review incident response plans Report suspected CPPs to payment brands Report suspected data breaches to the U.S. Secret Service Develop intelligence tools: FICO board / other issuers Krebs reports Law enforcement Payment brands 20 10

11 Recommendation from Department of Homeland Security IMPLEMENT HARDWARE BASED POINT TO POINT ENCRYPTION: It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website. * Source: Department of Homeland Security, July 31, Key Breach Prevention Strategies There are many actions your financial institution can take to prevent internal/external breach exposures: Keep abreast of new threats and learn how these can impact your institution and account holders Utilize layers of security to prevent system intrusions and payment transactions Educate your employees and account holders about how they can help to prevent a data breach: Never open s or attachments from an unrecognized source Lock or turn off computers when not in use Utilize system intrusion monitoring and detection systems to detect malware Set daily dollar and transaction limits for account holders Require passwords from employees before accessing accounts or administering external transfers Monitor password change reports for upticks in PIN or password change requests Require multi-factor authentication for online account access Validate your third-party vendors also have substantial risk prevention measures in place Implement effective security technologies like tokenization, end-to-end encryption, and EMV chip-and- PIN technology 22 11

12 Key Breach Response Strategies & Solutions There are many actions your financial institution can take to react to an exposure to a breach: Put in place secure card re-issuance strategies: Focus on clients in merchant s footprint Consider customer convenience vs fraud prevention Reissue the same PAN with a new CVV/CVC Reissue EMV cards Implement a data breach incident response plan: Identify internal team members Communications plan Card re-issuance strategy Develop a strong risk management plan with inclusion of products and services that mitigate internal and external data breach exposures: Payment protection, management, and reporting ID theft/fraud monitoring and mitigation Breach prevention technology and response planning Cyber liability insurance Comprehensive bond coverages 23 Q&A Session Education and awareness is key to our success! Therefore, if you have any remaining questions about data breaches or mitigating the risk of these breaches, please ask them now! 24 12

13 UPCOMING: Part Two of This Webinar Series! Title: Part 2: Emerging Payment Technologies & Impact on Data Breaches Details: Join Ann Davidson and Joe Majka again to learn about Chip-and- PIN technology, Apple Pay, Encryption, Tokenization and how these and other emerging payment technologies mitigate the risk of card-present and card-not-present data breaches. Date & Time: Wednesday, March 4, 2-3 (ET) Location: Hosted online through NAFCU Services. Registration: Registration is currently available on the NAFCU site and will also be ed out to all attendees of this webinar. 25 Contact Information To find out more about the products Allied Solutions offers to help prepare for or respond to financial institution risks, contact your Allied Rep or: Patrick Touhey Senior Vice President of Bond Allied Solutions, LLC To ask additional questions about data breaches that were not addressed today, contact either of today s co-presenters: Ann D. Davidson Vice President of Risk Consulting Allied Solutions, LLC ann.davidson@alliedsolutions.net Joe Majka Chief Security Officer Verifone Joe.Majka@verifone.com 26 13