DATA BREACHES AND ITS IMPACT ON CONSUMERS
AGENDA About UNCLE Credit Union Current Trends Financial Industry Target Breach EMV 3 Layers Of Prevention Cybersecurity Framework Protecting Your Identity Legislative Update
THE HISTORY OF UNCLE FYI - it has nothing to do with your mom s brother
BACK IN THE DAY Photo from 1957 at Radiation Laboratory in Livermore Our credit union was first opened in 1957 as Radiation Laboratory Credit Union The lab changed its name to Lawrence Livermore National Laboratory in 1970 We changed our name to UNCLE, which is short for UNiversity of California Livermore Employees
UNCLE TODAY In 2001, UNCLE was granted a four-county community charter This opened membership to anyone who lives, works, worships, or attends school in either Alameda, Contra Costa, San Joaquin or Stanislaus county We have four financial centers and proudly serve over 21,000 members
CURRENT TRENDS Attacks? What attacks?!?!
IT S OCCURRING ALL THE TIME
BY A VARIETY OF MEANS Phishing Email, Mail Pharming Web Site Hacking Data Skimming Credit/Debit Cards Key Loggers Social Engineering Theft Vishing Social Engineering over the phone using IP technology, which is hard to trace. Denial-of-Service (DoS) Not a breach but very disruptive.
TOP 3 METHODS OF DATA LOSS # of Incidents 800 700 600 500 400 300 200 100 0 Stolen Laptop Social Engineering Hacking Source: 2006-2013 Risk Based Security, Inc.
ACROSS ALL INDUSTRIES 43% 10% 34% 9% Business Education Finanical Government Healthcare 4% Source: CSID
SOME OF THE LARGEST Who: Adobe Systems Inc. When: 10/19/2013 What: 152 Million Records How: Hack of company systems exposed customer, names, ID, encrypted password and debit/credit card numbers and expiration dates.
SOME OF THE LARGEST Who: Heartland When: 1/20/2009 What: 130 Million Records How: Hack/malicious software exposes credit card data at processor
SOME OF THE LARGEST Who: TJX Corporation When: 1/17/2007 What: 94 Million Records How: Hack exposes credit card and transaction information.
SOME OF THE LARGEST Who: Sony When: 4/26/2011 What: 77 Million Records How: Hack exposes names, addresses, email, birthdates, PlayStation usernames and passwords, Online Profile, online purchase history and possibly credit card numbers.
SOME OF THE LARGEST Who: Experian When: 2007-2013 What: 200 Million Records How: Vietnamese criminals posing as a U.S. based private investigator successfully tricked Experian into selling them social security and driver's license numbers, bank account, credit card data and birthdates.
WHAT THE EXPERTS ARE SAYING 89% could have been prevented. 31% were due to insider threats or mistakes. 21% were the result of physical loss. 40% of the top breaches recorded to-date occurred in 2013. 76% were due to weak or stolen account credentials. 29% of compromises were via social engineering. Source: OTA analysis utilizing data provided by the Open Security Foundation, Risk Based Security, Symantec and the Privacy Rights Clearinghouse.
WHO HAS HAD A CARD REPLACED RECENTLY?
WHO HAS EXPERIENCE FRAUD/IDENTITY THEFT?
FINANCIAL INDUSTRY
FINANCIAL ATTACKS Theft of Money Stolen Computers / Backup Media Member Data And
CREDIT CARDS REMAIN THE MOST FREQUENT TARGET OF ACCOUNT TAKE OVER!
WHY HACKERS FOCUS ON POINT-OF-SALE DEVICES AND ATMS 3 Main Points of Attacks Point of Sale Merchants Transmission Processors Credit Card Issuers - Financial Institutions
WHY HACKERS FOCUS ON POINT-OF-SALE DEVICES AND ATMS
WHAT DO HACKERS WANT? Card Number Expiration Date Name PIN CVV - Card Verification Value
TARGET BREACH
SOME OF THE LARGEST Who: Target Brands, Inc. When: 12/18/2013 What: 110 Million Records * May even be more! How: Hack exposes customer names, addresses, phone numbers, email addresses, as well as credit/debit card numbers with expiration dates, PINs, and CVV numbers.
TARGET SUMMARY What Happened? It appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with Target. Hackers then gained access to a billing system and it is believed that through this system they gained access to the network and the point-of-sale devices. How Long Did It Take To Report? At least 19 days but reports vary. Like many recent breaches, early signs were ignored or not deemed high risk. Source: http://krebsonsecurity.com/2014/02/email-attack-onvendor-set-up-breach-at-target/
TARGET SUMMARY THE COSTS Target: Over $61 million in the 4th quarter 2013, decline in business, numerous class action lawsuits Consumers: Had to report fraud, get replacement cards, and update automatic/recurring accounts (i.e. gym, subscriptions). Financial Institutions: Cover fraud losses, provide consumer information in the form of letters and had to reissue cards. The estimated costs of the Target breach alone on credit unions is close to $30 million dollars. Most credit unions have yet to see any reimbursement from the retailers to cover these costs. Source: http://krebsonsecurity.com/2014/02/email-attack-onvendor-set-up-breach-at-target/
WHAT ABOUT EMV?
TARGET BREACH AND EMV EMV will help reduce fraud but it is only part of the equation. EMV would have helped authenticate the card but once the authentication occurred, the data was temporarily stored unencrypted in memory so the hackers would have still gotten all the information.
THE CURRENT TECHNOLOGY IS OLD! SIGNATURES? WHY NOT A HANDSHAKE? The concept of customers paying different merchants using the same card was expanded in 1950 by Ralph Schneider and Frank McNamara, founders of Diners Club, to consolidate multiple cards.
EMV EMV stands for Europay, Mastercard and Visa Chip card technology. Widely used outside of the Unites States. Focuses on authenticating the card.
EMV REQUIRES AN INVESTMENT IN TECHNOLOGY Needs upgraded point-ofsale hardware, ATMs, software and cards. Everyone need to be involved: merchants, transaction processors and financial institutions.
EMV PROS Will reduce merchant losses and associated costs from fraud caused by counterfeit and stolen swiped card transactions. Most EMV-capable terminals and POS systems will also be enabled to accept contactless and mobile payments. Chip cards and smartphone payments will potentially offer new revenue sources via marketing offers and loyalty programs that can be transmitted directly from the merchant to the card or device. Foreign travelers to the U.S. will be better able to use their existing EMV cards.
EMV CONS Purchasing new or upgrading existing terminals and POS systems will be expensive. Transaction messaging requirements are different for EMV than magnetic strip sales. Merchants will need to coordinate with their acquirer to support both message types while they continue to accept both EMV and magnetic strip cards. New card association policies will likely result in liability shift from issuers to acquirers (and ultimately merchants) in certain situations.
VISA LIABILITY SHIFT Liability shifts beginning in October 2015 Merchants will be on the hook for all fraud that results from an EMV-compliant card being used in a non-emv-compliant POS terminal.
NEW PAYMENT SOLUTIONS
NEW PAYMENT SOLUTIONS In addition to credit card technologies, there are more methods of making payments coming Simple New type of online bank account. Offers an online banking account with a Simple Visa Card. Funds are actually held with Bancorp Bank. Simple provides the interface. Square Take mobile credit card payments P2P Dwolla, Paypal and others allowing users to make person to person payments. Coin Puts credit/debit card information from several cards on a single card.. And
BITCOIN bitcoin is a cryptocurrency and has been around since 2009. bitcoin ATMs were introduced in the US earlier this year. Mt. Gox, a leading bitcoin exchange, experiences loss of 850,000 bitcoins valued at over $500 million! Filed for bankruptcy on February 28th. On March 21st announced that they found 200,000 bitcoins in old digital wallet. Mt. Gox statement reads At the start of February 2014, illegal access through the abuse of a bug in the bitcoin system resulted in an increase in incomplete bitcoin transfer transactions and we discovered that there was a possibility that bitcoins had been illicitly moved through the abuse of this bug. As a result of our internal investigation, we found that a large amount of bitcoins had disappeared. Although the complete extent is not yet known, we found that approximately 750,000 bitcoins deposited by users and approximately 100,000 bitcoins belonging to us had disappeared. Source: Techcrunch 3/3/14
WHAT CAN YOUR ORGANIZATION DO?
3 LAYERS OF PREVENTION Administrative Safeguards Technical Safeguards Physical Safeguards
EXAMPLES OF ADMINISTRATIVE SAFEGUARDS IT Policies review regularly Procedures Authority / Access Limits People and Training Conduct Risk Assessments Social Engineering Exercises Incident Response Plan Vendor Management
EXAMPLES OF TECHNICAL SAFEGUARDS Firewalls Antivirus/Malware Software Intrusion Detection/Prevention Solutions Encryption User Credentials Multi-factor Authentication Regular Patching System Logs
EXAMPLES OF TECHNICAL SAFEGUARDS Fraud Monitoring Ongoing assessments, audits and testing IT Audits Regular internal and external vulnerability testing Penetration Testing - internal and external
PHYSICAL SAFEGUARDS Ask Yourself Three Questions: Where is your data stored? Who has physical access to it? Can you monitor/log access to it?
EXAMPLES OF PHYSICAL SAFEGUARDS Secured Building Video Security Biometric Security Card Access Alarms Shredding Locked dumpsters
CYBERSECURITY FRAMEREWORK
CYBERSECURITY FRAMEWORK President Obama issued Executive Order 13636(EO), Improving Critical Infrastructure Cybersecurity, on February 12, 2013. This Executive Order calls for the development of a voluntary Cybersecurity Framework that provides guidance to an organization on managing cybersecurity risk. National Institute of Standards and Technology (NIST) delivered version 1.0 of the Cybersecurity Framework on February 12, 2014.
CYBERSECURITY FRAMEWORK 5 CORE FUNCTIONS Identify Develop the organizational understanding to manage risk to systems, assets, data and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Source: The National Institute of Standards and Technology
CYBERSECURITY FRAMEWORK 5 CORE FUNCTIONS Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event. Source: The National Institute of Standards and Technology
PROTECTING YOUR IDENTITY
WHAT CAN YOU DO TO PROTECT Passwords YOURSELF? Use strong passwords. Alpha-Numeric with special characters when possible. Don t use the same password on different system. Don t share your passwords. Use a Password Manager LastPass 1Password KeePass Keeper
BE AWARE Think before you clink on that link or reply to that email. Scams are everywhere and becoming very sophisticated! Monitor account balances and transactions. Setup alerts based on large transactions or balances falling below a certain level. Be aware of social engineering scams and always check credentials and escort vendors. Don t use a wireless hot spot or public computer to conduct financial transactions
USE AVAILABLE SECURITY TOOLS Update software on your computers and phones. Use Antivirus/Malware software Use mobile security features such as setting up a passcode on your phone. Make sure your computers and phones lock after a certain amount of time.
IDENTITY THEFT PROTECTION Credit Report Blocking LifeLock
TAKE AWAY We all need to play a part if we are going to prevent data breaches. Industry Merchants Financial Institutions Consumers Government Consumers
LEGISLATIVE UPDATE
DURBIN AMENDMENT Part of Dodd-Frank financial reform law of 2010 which focused on interchange. Gave issuers an extra 1 cent per transaction for effective fraud-prevention measures. Didn t do anything on the merchant side.
GRAMM-LEACH BLILEY ACT OF 1999 Established security standards for banks and credit unions to guard consumer data. There is no comparable law that governs merchants.
SECURITIES AND EXCHANGE COMMISSION Says public companies hit with breaches should inform consumers in a timely manner. There is no national law that compels retailers or any firm to disclose a data breach.
Requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. CALIFORNIA LAW
QUESTIONS?
OPEN DISCUSSION Any last words?
WHERE TO GET MORE INFORMATION https://www.privacyrights.org/banking-and-finance http://datalossdb.org http://www.informationisbeautiful.net/visualizations/w orlds-biggest-data-breaches-hacks/ http://www.csid.com/resources/stats/data-breachesby-industry/