Fraud and Breach Prevention Summit668781195408a83df63a-e48385e382d2e5d17821a5e1d8e4c86b.r51… · Account Takeover: Where Does the Buck Stop? Our legal and anti-fraud experts will

1

ISMG’s Global Fraud & Breach Summit is a must-attend event for any executive

tasked with protecting an organization from today’s information security threats.

March 22-23, 2016 | Hilton Financial District

Fraud and Breach Prevention Summit

SAN FRANCISCO

Visit ismgcorp.com/events for more information

2 Interested in multiple attendees? Contact [email protected] or call (800) 944-0401

When we first gathered here a year ago, we were amidst a string of high-profile retail breaches

that had repercussions throughout the world, sparking fresh discussions about new payments

security answers.

Today, we’re here to discuss not just the future of payment card security, but also the rapid

evolution of cyber-attacks and the unique challenges of detecting, responding to and

investigating these crimes.

With dual tracks focusing on fraud and on breach prevention/response, we hope today’s

Summit offers you multiple entry points into these engaging topics. Mix and match – attend

sessions in each track, and be sure to take time to meet with your peers, our speakers and our

sponsors. Exchange insights on today’s top schemes and the technology solutions designed to

stop them.

Throughout the day, please take time to visit with our Summit sponsors, who make this event

possible.

Also, please be sure to evaluate each of our sessions and speakers, and introduce yourself

anytime to the entire ISMG team. Let us know how we can help you enrich your Summit

experience.

Best,

Tom Field

Vice President, Editorial

[email protected]

ISMG’s Upcoming Fraud and Breach Prevention

Summit in San Francisco!

Tom Field

Vice President, Editorial

Schedule

3

ISMG Fraud and Breach Prevention Summit

San Francisco

Interested in multiple attendees? Contact [email protected] or call (800) 944-0401

Tuesday, March 22

Time Session

12:00pm - 1:00pm Workshops Registration & Networking

1:00pm - 2:30pm

Data Breach Outlook: From Its Nation-State Roots to the Next Massive Attack

Born from nation-state espionage, hundreds of tools and services are now available for assembly into custom-built attack suites fit for almost any purpose and truly massive scale.

As these attacks are gaining momentum and sophistication, we need to adapt our defenses accordingly. To do that effectively, we must clearly understand how and why our enemy functions.

2:30pm - 3:00pm Break & Networking

3:00pm - 4:30pm

Breach Response Planning: Hammer Out Your Legal, Business and Technology Differences Before a Breach

Every mature enterprise understands the necessity of a maintaining a tested breach response plan. But it’s critical for the scope of that plan to go beyond technical operations, covering all interested parties, such as legal, finance and media relations, that may have greatly different priorities at crunch time.

Hear the perspectives of key stakeholders – the practitioners who represent legal, IT and business operations, and whose organizations have suffered severe data breaches.

4:30pm - 5:00pm Closing Remarks

5:00pm - 6:00pm Dinner & Networking

Schedule


Wednesday, March 23 - Morning

Time Session

8:00am - 9:00am Registration, Breakfast & Exhibit Browsing

9:00am - 9:30am


Born from nation-state espionage, hundreds of tools and services are now available for assembly into custom-built attack suites fit for almost any purpose and truly massive scale. As these attacks are gaining momentum and sophistication, we need to adapt our defenses accordingly. To do that effectively, we must clearly understand how and why our enemy functions.

FRAUD TRACK DATA BREACH TRACK

9:30am - 10:00am

New Account Fraud: Still a Model of Success

This session will discuss strategies and technologies to gain a more accurate and holistic picture of account applicants and to respond in real-time to risk.

Et Tu Brute? How Your Government Can Take You Down

Take an in-depth look at the details of an investigation of a cancer screening service that led to a protracted legal battle, putting the service out of business.

10:00am - 10:30am

Customer Endpoint Protection – Securing Transactions From Millions of Devices You Don’t Own

Experts will discuss the latest in tools and strategies, including the latest endpoint malware capabilities, fraud detection and prevention technologies, and more.

The True Cost of Data Breaches: Not Just a Dollar Per Record

Hear a firsthand account of a business leader who has survived, overcome and thrived in the wake of such an experience.

10:30am - 11:00am Break & Networking

11:00am - 11:30am

Mobile: The Emerging Standard for Payments and the Next Target for Fraud

We will discuss the latest mobile vulnerabilities and the mechanisms to secure them including the inherent differences and weaknesses of the best-known mobile platforms, and more.

Reverse Engineering Intrusions and Infections: How Malware Can Educate Us About Our Adversaries

We can use clues such as hard-coded, command-and- control IP addresses, communication mechanisms and general toolset functionality to build a picture as to how an attack will be conducted. In this session we’ll hear from a leading research lab about its methods in defeating attacks based on these observations.

11:30am - 12:00pm

Card-Not-Present: Fraud on the Move, Back to the Future, Again

Attend this session, where we’ll discuss developments in CNP fraud detection and prevention

Mass Identity Management: Our Collective Multipersona Disorder

Join us in this session on the scope of identity sprawl and the leading mechanisms and techniques to ensure the safety of PII (Personally Identi able Information).

12:00pm - 12:30pm

Account Takeover: Where Does the Buck Stop?

Our legal and anti-fraud experts will discuss various account takeover prevention strategies, including: The distinction between fraud detection and prevention tools for account compromise and account takeover mitigation; The latest evolution of account takeover schemes; and more.

APIs: The Unmanned and Ever Expanding Threat Interface

Recent attacks at Snapchat, Yahoo and Tesla clearly show the vulnerabilities of poorly implemented and protected APIs. In this session we’ll describe the extent to which this vulnerability is exploited and the best practices for securing it.

12:30pm - 1:30pm Lunch

Schedule

5


San Francisco


Wednesday, March 23 - Afternoon

Time Session

FRAUD TRACK DATA BREACH TRACK

1:30pm - 2:00pm

Biometrics: From Fingerprints to Heart Beats, from iTunes to Missiles

This session will review some of the latest advances in biometrics for both “whitelist” and “blacklist” applications, as well as the most significant considerations for their secure deployment.

Internet of Everything: Please Don’t Connect It First and Secure It Later

The number of IoT devices will proliferate to over one trillion in the next few years, but any device that can communicate with another potentially can provide a direct conduit from the public Internet to some very private and valuable information. Join us as we attempt to help you say: “Yes, you can connect now. We’ve got this covered.”

2:00pm - 2:30pm

Knowledge-Based Authentication is Dead; We Need a New, Multidimensional Approach

Here we will describe a layered approach to building a multidimensional reference model of every individual that adapts to changes in the environment, and “prove” that they are who they say they are.

Ransomware: You Can Have Your Business Back, But for a Fee

We’ll discuss the scope of this threat, steps you can take to minimize your risk of being victimized by ransomware attacks and steps you can take to recover your data should you fall victim to this type of attack.

2:30pm - 3:00pm

Federal Reserve Initiative: Faster Payments from End-to-End

In this interactive session, a Federal Reserve Payments executive discusses how the Fed is expanding its payments focus beyond the services it provides today to merchants and banking institutions.

Breach Disclosure: The Media’s Role

Listen to a panel of well-known journalists discuss their evolving roles. What are some of their reporting techniques? How do they decide what is or is not a story? How can you work more effectively with them when your organization is the one in the news?

3:00pm - 3:30pm Break & Networking

3:30pm - 4:00pm

Fraud Protection and User Friction: Online Experience vs. Risk Management

Getting the right balance between online experience and fraud protection is key. In this session, you will gain insight into the ways to provide protection and enhance the customer experience.

International Breach Disclosure: Navigating A New Legal World of Complexity

You will query a panel of litigators who focus solely on data breach, theft of intellectual property and privacy-related topics.

4:00pm - 4:30pm

The Blockchain: A New Hypersecure Fabric for Any Transaction?

Many current transaction mechanisms are vulnerable to fraud. In this session we’ll walk through the potential impact of broader blockchain deployment.

Role-Based Behavior Analytics: Patterns and Anomalies in User Behavior as Indicators of Attack

Here we will lay out the various models used for behavior pattern analysis and demonstrate how this may be integrated into a real-world SOC.

4:30pm - 5:00pm

If Data Has No Value, Its Theft is Pointless

Payment transactions often provide a treasure trove of valuable, usable data for thieves. But if that data has no value, it becomes useless and will eventually no longer be a target for theft in the first place. In this session we’ll discuss the benefits and pitfalls on this topic.

5:00pm - 6:00pm Cocktails & Networking

Faculty


Editorial Staff

Howard AndersonNews Editor

Tracy KittenExecutive Editor, BankInfoSecurity & CUInfoSecurity

Robyn WeismanCustom Content Producer

Mathew J. SchwartzExecutive Editor, DataBreachToday & Europe

Geetha NandikotkurManaging Editor, Asia & the Middle East

Eric ChabrowExecutive Editor, GovInfoSecurity & InfoRiskToday

Marianne Kolbasuk McGeeExecutive Editor, HealthcareInfoSecurity

Varun HaranPrincipal Correspondent

Based on decades of experience, content for ISMG’s Summit

series is crafted by the foremost experts in information security

and risk management.

Tom Field

Vice President EditorialField is an award-winning journalist with

over 30 years experience in newspapers,

magazines, books, events and electronic

media. A veteran community journalist

with extensive business/technology

and international reporting experience,

Field joined ISMG in 2007 and currently

oversees the editorial operations for all

of ISMG’s global media properties. An

accomplished public speaker, Field has

developed and moderated scores of

podcasts, webcasts, roundtables and conferences. He has appeared at RSA

Conference and on various C-SPAN, History Channel and Travel Channel

television programs.

ISMG brand and regional Executive Editors will moderate most summit sessions. With extensive industry and regional expertise, these hosts are

responsible for ensuring a timely pace and connecting speakers with the audience.

Mindy Blodgett

Content Director

Blodgett is an Events Content Director at

Information Security Media Group and is

an experienced communications specialist

and content creator for editorial, marketing

and events. She has spent more than 30

years in communications and events roles,

with a focus on information technology

and business strategy journalism and

related events. Before coming to ISMG,

she produced content for events for the

International Data Group (IDG) Enterprise;

was a senior editor at CIO magazine and

worked as a research analyst for the

Yankee Group.

Speakers

7


San Francisco


Michael TheisCMU CERT Insider Threat Center

Jeffrey ShafferPricewaterhouseCoopers

Doug JohnsonAmerican Bankers Association

Clyde LangleyCharles Schwab

Robert CarrHeartland Payment Systems

Richard BortnickTraub Lieberman Straus & Shrewsberry, LLP

Avivah LitanGartner

Barbara PachecoFederal Reserve Bank of Kansas City

Eduardo PerezVisa Inc

Janey CarruthersUS Banking Regulator

Julie ConroyAite Group

David PollinoBank of the West

Kate BortenThe Marblehead Group

Jessica CorleyAlston & Bird LLP

Ron RossNational Institute of Standards and Technology (NIST)

Kevin MorrisonThe Results Companies

T.C. Spencer PryorAlston & Bird, LLP

David SzaboLocke Lord LLP

Dr. Dale MeyerroseU.S. Air Force (retired)

Michael RedmanSpace and Missile Defense Command (SMDC)

Dominique SheltonAlston & Bird, LLP

Sharon AnolikPrivacy Panacea

Shirley InscoeAite Group

Uri RivnerBioCatch

A small cross-section of our expert speaker community


2016 Summit Events at-a-glance

Global Reach

Toronto

Dubai

MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Mumbai

2.5 days

Silicon Valley

Chicago BostonBangalore

1.5 days

Amsterdam

DC SingaporeMiami

New York New York

London

Dehli

NEW YORK

Fraud & Data BreachAugust 2, 2016

HealthcareOctober 18, 2016

TORONTO

Fraud & Data BreachSeptember 13, 2016

SILICON VALLEY

Fraud & Data BreachMarch 22, 2016

CHICAGO

Fraud & Data BreachNovember 8, 2016

WASHINGTON, DC

GovernmentMay 17, 2016

BOSTON

Fraud & Data BreachJuly 12, 2016

LONDON

Fraud & Data BreachNovember 8, 2016

DUBAI

Fraud & Data BreachEarly May

DELHI

Fraud & Data BreachNovember

SINGAPORE

Fraud & Data BreachSeptemberMUMBAI

Fraud & Data BreachJune

BANGALORE

Fraud & Data BreachMarch 16, 2016

AMSTERDAM

Fraud & Data BreachSeptember 27, 2016

Sessions

9


San Francisco


The New Wave of Fraud Analytics and AI

Fraud detection has long been a goal of big data analytics, but we’ve

seen too many expensive deployment casualties along the way,

leaving us with lakes of data and minimal successful fraud detection.

But today as data collection techniques develop and machine-learning

capabilities are tuned to this use case, highly accurate data linkage

and pattern detection solutions can be created to quickly identify

fraudulent behavior amid the “noise” of authentic transactions.

Attend this session to learn how some forward-looking organizations

are using advanced analytics tools to:

• Use the latest in multi-channel modeling and identification

patterns technology to detect fraud;

• Pull actionable information from cognitive analysis and AI;

• Reduce the opportunity for cross-channel fraud;

• Cut response time between suspicious activity occurrence and

detection;

• Take unstructured data and turn it into relevant information for

decision-making and analysis.

Breach Response Planning: Hammer Out Your Legal, Business and Technology Differences Before a Breach

Every mature enterprise understands the necessity of a maintaining a

tested breach response plan. But it’s critical for the scope of that plan

to go beyond technical operations, covering all interested parties,

such as legal, finance and media relations, that may have greatly

different priorities at crunch time.

Hear the perspectives of key stakeholders – the practitioners who

represent legal, IT and business operations, and whose organizations

have suffered severe data breaches. Learn from them:

• The roles each stakeholder plays in crafting and testing the plan;

• What changes when the breach is real and it’s time to put the plan

in action;

• Lessons learned from their own breach experiences.


Born from nation-state espionage, hundreds of tools and services are

now available for assembly into custom-built attack suites fit for almost

any purpose and truly massive scale.

As these attacks are gaining momentum and sophistication, we need

to adapt our defenses accordingly. To do that effectively, we must

clearly understand how and why our enemy functions.

Therefore, in this session we will discuss:

• The current statistical scale and scope of targeted attacks;

• The threat actors executing these attacks and their motivations

for doing so, including financial gain, personal identity information

(PII) and terror;

• The types of valuable data and/or critical infrastructure they are

now targeting;

• Existing vectors that remain vulnerable, as well as new points of

vulnerability, such as APIs and mobile;

• Where resources should be focused to defend against these

evolving threats.

FRAUD TRACK

New Account Fraud: Still a Model of Success

Account origination fraud remains one of the fastest growing threats

today for organizations ranging from banks to government entities.

According to Javelin Strategy & Research, this type of fraud has risen

by 50 percent with $9.8 billion in losses – and the damage continues

to grow. With account origination fraud so difficult to detect and with

the stakes so high, this session will discuss:

• Strategies and technologies to gain a more accurate and holistic

picture of account applicants and to respond in real-time to risk;

• The shortcomings of using device identification and log analysis

to create a layered defense strategy;

• The latest on cloud-based solutions and behavioral analytics;

• Ways to integrate solutions with your internal and consumer-

facing systems in order to more quickly assess risk and to identify

inconsistencies

Sessions


DATA BREACH TRACK

Et Tu Brute? How Your Government Can Take You Down

After any significant breach, many parties, including customers,

clients, business partners and government agencies, will demand

clarity about the details of how the incident occurred and what data

was exposed.

Increasingly, the Federal Trade Commission is aggressively

investigating breaches to ensure that an organization is not negligent

or reckless with private information. But some question whether the

FTC is basing its decisions upon reliable information.

In this session we’ll take an in-depth look at the details of an

investigation of a cancer screening service that led to a protracted

legal battle, putting the service out of business.

FRAUD TRACK

Customer Endpoint Protection – Securing Transactions From Millions of Devices You Don’t Own

By allowing connections to multiple endpoint platform types, financial

institutions are tasked with providing a secure transaction channel to

a massive number of devices they don’t own and have limited control

over. Meanwhile, cybercriminals develop new attacks targeted directly

at this type of communication every day, with maturing multifunction

malware such as Zeus already infecting millions of endpoints in the

U.S. alone.

In this session, experts will discuss the latest in tools and strategies,

including:

• The latest endpoint malware capabilities;

• How assuming that every endpoint may already be compromised,

while still providing a secure channel to it, is a viable strategy;

• The latest fraud detection and prevention technologies;

• How enhanced authentication with biometrics, Device ID and

behavioral analytics can be integrated.

DATA BREACH TRACK

The True Cost of Data Breaches: Not Just a Dollar Per Record

When an organization suffers a data breach, how can we quantify the

total of all the associated costs?

The scope of costs go way beyond a fixed dollar value per stolen

record, but extend to include legal fees, third-party forensic services,

loss of reputation and defense improvements as well as state and

federal penalties.

An entire complex, interconnected, multifaceted economy sprouts

up in the wake of every significant data breach, each adding its own

contribution to the total overall cost.

In this session we’ll hear a firsthand account of a business leader

who has survived, overcome and thrived in the wake of such an

experience.

FRAUD TRACK

Mobile: The Emerging Standard for Payments and the Next Target for Fraud

Mobile is quickly establishing itself as the payment channel of choice.

More than 36 million Americans are forecast to conduct $27 billion

in mobile transactions in the coming months. As users increasingly

adopt new payments platforms, including Apple Pay and Samsung

Pay, cybercriminals are devising new ways to compromise them, with

new malware exploiting inter-application vulnerabilities or the devices

themselves. And old protection mechanisms are no longer effective in

combating this growing threat.

In this session we will discuss the latest mobile vulnerabilities and the

mechanisms to secure them including:

• The inherent differences and weaknesses of the best-known

mobile platforms;

• The latest in authentication tools and technologies, including

biometrics, geo-location, Device ID and more, available for

financial services providers and retailers to detect and counter

fraud attempts in real time;

• The potential trade-offs between ease of use, functionality and

security;

• Mobile Device Management solutions for onboarding and

maintaining devices.

Sessions

11


San Francisco


DATA BREACH TRACK

Reverse Engineering Intrusions and Infections: How Malware Can Educate Us About Our Adversaries

Although zero-day malware is relatively uncommon, most attacks do

employ some form of purpose-built software to establish residency

and “act” within our networks.

By deconstructing and analyzing this code, we can gain great clarity

into exactly how our adversaries operate. We can use such clues

as hard-coded, command-and-control IP addresses, communication

mechanisms and general toolset functionality to build a picture as to

how an attack will be conducted.

These insights help us to detect the behavioral patterns of an attack,

instead of relying on code signature-based detection, which has been

proven to fail as a single line of defense.

In this session we’ll hear from a leading research lab about its

methods in defeating attacks based on these observations.

FRAUD TRACK

Card-Not-Present: Fraud on the Move, Back to the Future, Again

As fraudsters switch focus back to card-not-present (CNP) schemes,

research from the Aite Group indicates that such schemes will soon

outpace card-present fraud in the U.S. by a three-to-one margin.

Globally, payments provider ACI Worldwide saw a 30 percent

increase in CNP fraud in the first half of 2015. In fact, ACI says that

approximately 1.2 percent of all CNP transactions conducted between

January 2015 and July 2015 were fraudulent.

While in-person payment technologies become increasingly

sophisticated, CNP transactions still rely on decades-old security

mechanisms that are relatively easy to defeat.

Attend this session, where we’ll discuss developments in CNP fraud

detection and prevention via:

• Multifactor, multichannel authentication mechanisms being

applied across both the endpoint and call-center channels;

• Real-time fraud monitoring systems and tools, such as the 3-D

Secure messaging protocol;

• The use of behavioral analytics tools to review purchase and

payment trends across multiple channels;

• Tokenization and what it can do to protect consumers and issuers.

DATA BREACH TRACK

Mass Identity Management: Our Collective Multipersona Disorder

We, and often our devices, each have multiple identities, gradually

spreading into every facet of our lives while simultaneously increasing

in accessibility and value. Employers and service providers,

meanwhile, struggle to provision, manage, track and secure them,

often on a massive scale.

While vendors focus on solutions for single sign-on, identity federation

and application integrations, the National Strategy for Trusted

Identities in Cyberspace (NSTIC) is emphasizing the importance of

privacy, security, resiliency, interoperability and ease of use.

What are the immediate hurdles and opportunities for achieving these

goals?

Join us in this session on the scope of identity sprawl and the leading

mechanisms and techniques to ensure the safety of PII (Personally

Identifiable Information).

FRAUD TRACK

Account Takeover: Where Does the Buck Stop?

Despite years of trying to figure out who is liable for corporate

account takeover incidents, we are no closer to an answer. ISMG’s

latest fraud research shows that incidents and resulting losses from

account takeover have remained steady or grown for most institutions

over the past five years.

While many of these incidents ended up being resolved out of court,

before judges could rule on primary responsibility, the question

remains: Who is liable? Is it the business whose credentials were

stolen, or the institution that failed to spot and stop anomalous

behavior?

Sessions


Because of the significant pain and losses attached to account

takeover fraud, financial institutions need to do more to avoid it in the

first place. In this session, our legal and anti-fraud experts will discuss

various account takeover prevention strategies, including:

• The distinction between fraud detection and prevention tools for

account compromise and account takeover mitigation;

• The latest evolution of account takeover schemes;

• Recent case law on account takeover liability;

• Powerful new tools that help organizations detect anomalous

transactions and stop them before damage is done.

DATA BREACH TRACK

APIs: The Unmanned and Ever Expanding Threat Interface

Recent attacks at Snapchat, Yahoo and Tesla clearly show the

vulnerabilities of poorly implemented and protected APIs.

Almost every new cloud, partner, mobile or IoT service relies on an API

for automated configuration and use. The proliferation of these app-

to-app communications for payments, data exchange and messaging

is drastically expanding the enterprise threat map, despite bypassing

all but the most rudimentary security measures.

When compromised by an attacker, these interfaces provide

connectivity directly into a mesh of “unmanned” inter-app channels

that are rarely inspected for suspicious behavior.

In this session we’ll describe the extent to which this vulnerability is

exploited and the best practices for securing it.

FRAUD TRACK

Biometrics: From Fingerprints to Heart Beats, from iTunes to Missiles

Biometrics offer many of the sought-after characteristics of

authentication perfection. They provide highly complex patterns that

are unique and are impossible to forget or leave at home. Whether

paying for coffee with a heartbeat or accessing a laboratory with an

iris, the potential use cases are limitless.

There are, however, significant challenges to implementing biometric-

based solutions, such as the initial recording and registration process,

protecting the privacy of individuals and any stored or transmitted

identifying information. Maintaining the security and confidentiality of

that information from theft and abuse also is critical because there is

no form to fill out to replace it.

In this session we’ll review some of the latest advances in biometrics

for both “whitelist” applications, such as granting access to sensitive

information or funds, and “blacklist” applications, such as identifying

fraudsters’ voices at call centers, as well as the most significant

considerations for their secure deployment.

DATA BREACH TRACK

Internet of Everything: Please Don’t Connect It First and Secure It Later

The number of IoT devices will proliferate to over one trillion in the

next few years, but any device that can communicate with another

potentially can provide a direct conduit from the public Internet to

some very private and valuable information.

In our rush to connect everything together, secure connectivity and

information handling is frequently an afterthought, if ever even a

thought at all.

Is it possible to instill sound SDL (security development lifecycle)

practices into device manufacturers? Practices are improving, with

more refinements on the way. But hope, as they say, is not a strategy.

An alternative to waiting for built-in security to gestate is to bolt it

on. Several gatekeeper onboarding solutions exist for brokering the

relationship between enterprise and device, limiting connectivity in

controlled phases, and managing patch levels, authorization and

connectivity to within acceptable limits.

Join us as we attempt to help you say: “Yes, you can connect now.

We’ve got this covered.”

Sessions

13


San Francisco


FRAUD TRACK

Knowledge-Based Authentication is Dead; We Need a New, Multidimensional Approach

Until we get to a stage where we can guarantee the confidentiality

of static identity reference data, such as names, addresses, emails

and favorite cat colors, we must move away from relying on it for

authentication.

Truly massive amounts of this information are stolen on a regular

basis, proving we are far from achieving its confidentiality. Moreover,

it is a straightforward process to use this data to steal, or at least

borrow, someone’s identity.

There is, however, a wealth of dynamic, behavioral, reputational and

association-type information that can add many organic dimensions

to identity verification data, making it far more difficult to compromise

than static, “flat” reference fields.

In this session, we will describe a layered approach to building a

multidimensional reference model of every individual that adapts to

changes in the environment, and “prove” that they are who they say

they are.

DATA BREACH TRACK

Ransomware: You Can Have Your Business Back, But for a Fee

Digital hostage taking has become a highly profitable opportunity

for cyber criminals. Strategic, enterprise-focused attackers use

ransomware (which can be purchased from Ransomware-as-a-

Service providers on the Dark Web) for a variety of reasons, including

hacktivism, nation-state revenge or financial gain.

Ransomware has become popular with threat actors because the

methodology is quite simple. It encrypts your systems and then tells

you that if you want to recover your information, you must pay a

certain amount for the decryption key. And if you don’t pay? You risk

losing months, even years of your organization’s critical information.

In this session we’ll discuss the scope of this threat, steps you can

take to minimize your risk of being victimized by ransomware attacks

and steps you can take to recover your data should you fall victim to

this type of attack.

FRAUD TRACK

Federal Reserve Initiative: Faster Payments from End-to-End

As we discuss ways to ensure faster payments security, we must make

sure we include newer payments providers, such as Apple Pay and

Square, that aren’t associated with banks and are, for the most part,

unregulated.

Federal Reserve experts say that it’s no longer enough to focus

on bank-to-bank payments as they have historically. Now they are

focusing on transactions from an end-to-end perspective – from the

point at which the consumer makes a payment through the various

financial institutions and payments providers all the way to the

commercial side.

In this interactive session, a Federal Reserve Payments executive

discusses how the Fed is expanding its payments focus beyond the

services it provides today to merchants and banking institutions,

including:

• The types of financial fraud that are of greatest concern;

• The importance of a variety of stakeholders within the payments

industry playing a role in crafting a faster payment strategy;

• The Federal Reserve’s payments industry roadmap.

DATA BREACH TRACK

Breach Disclosure: The Media’s Role

Sometimes breach disclosure is mandated by a regulator.

Occasionally, it comes from a CEO who wants to control the news. But

often it’s an enterprising journalist who pulls together and validates

disparate facts, then breaks the news about the latest breach – often

against the wishes of the breached entity.

Their backgrounds are varied, but their methods are common: to sift

through tips, trends, incidents, studies and commentary to determine

fact from fiction or even PR spin. Sometimes the information comes

from official sources. Often it’s from sources of questionable repute

in the Dark Web. It’s the journalists’ responsibility to treat these leads

with equal parts caution and respect, and then to stand solidly behind

what they publish.

Sessions


Listen to a panel of well-known journalists discuss their evolving roles.

What are some of their reporting techniques? How do they decide

what is or is not a story? How can you work more effectively with them

when your organization is the one in the news?

FRAUD TRACK

Fraud Protection and User Friction: Online Experience vs. Risk Management

Customers have put financial institutions and retailers in a sort of

pickle. On the one hand, customers expect their transactions to be

secure, yet they also demand a frictionless online experience.

How do banks and retailers negotiate the seeming chasm between

a delightful online experience and one that protects against

fraudulent activity? They do have a plethora of technology options

for increasingly sophisticated fraud detection. Should these solutions

hinder customers’ ability to make an easy transaction, however, they

will abandon it, leading to frustrated customers and lost business.

Getting the right balance between online experience and fraud

protection is key. In this session, you will gain insight into the ways to

provide protection and enhance the customer experience, including:

• The latest ways to instill risk mitigation while also implementing a

strategy of increasing customer satisfaction;

• Building a unified approach to fraud prevention across all lines of

business;

• The technology advances that place an emphasis on prevention

rather than breach and after-the fact detection

DATA BREACH TRACK

International Breach Disclosure: Navigating A New Legal World of Complexity

Following two years of headline breaches at the likes of Target,

JPMorgan Chase, Sony, Anthem and OPM, the U.S. Congress is finally

poised to at least discuss enaction of a national breach disclosure law

superseding all of the individual state regulations.

But that’s just one nation.

Around the world, governments such as the European Union have

either developed or even refined their own breach notification laws or

are in the process of drafting one.

If your organization conducts business in these countries, and/or

stores information on these nations’ citizens, then pay close attention

to the vast array of existing and pending international breach

regulations. Because when your organization is breached, you will be

held accountable to these laws.

You don’t want to take a crash course in international breach

legislation after your organization has been breached. Instead, take

time now to query a panel of litigators who focus solely on data

breach, theft of intellectual property and privacy-related topics. Learn:

• How international breach disclosure regulations are shaping up

in 2016;

• Lessons learned from case law involving breached entities that

have run afoul of the law;

• How to tailor your own breach disclosure plan to meet the most

exacting of international standards.

FRAUD TRACK

The Blockchain: A New Hypersecure Fabric for Any Transaction?

Although developed to support the infamous Bitcoin, the blockchain

mechanism is proving to have a multitude of use cases, from IoT micro

payments to capital market trading, retail banking and even voting.

The blockchain, in effect, is a distributed ledger, shared with hundreds

of thousands of automated auditors that verify the authenticity of

every transaction, drastically reducing, if not completely eliminating,

fraudulent entries.

Many current transaction mechanisms are vulnerable to fraud. In this

session we’ll walk through the potential impact of broader blockchain

deployment.

Sessions

15


San Francisco


DATA BREACH TRACK

Role-Based Behavior Analytics: Patterns and Anomalies in User Behavior as Indicators of Attack

A monumental challenge for security teams is distinguishing between

legitimate user behavior and an attacker using valid credentials. New

machine-learning applications are emerging to distinguish between

the two. These new applications can analyze seemingly endless

activity and events from various classes of users, apps and devices.

Morevover, they can blend this information with contextual reference

points, such as geolocation, device type and time of day, so that

distinctly normal patterns of activity emerge, and anomalies begin

to stand out. These anomalies can be further compared with known

malicious activity patterns, and once a match is found, may then be

reclassified as an active indicator of attack.

In this session we will lay out the various models used for behavior

pattern analysis and demonstrate how this may be integrated into a

real-world SOC

If Data Has No Value, Its Theft is Pointless

Payment transactions often provide a treasure trove of valuable,

usable data for thieves. But if that data has no value, it becomes

useless and will eventually no longer be a target for theft in the first

place.

Because the theft of this data is so widespread today, we need

to start this devaluation cycle immediately and make sure data

becomes useless for the purposes of fraud. To that end, it needs to

be unreadable, which we can achieve with encryption, invalidated by

replacing it with a representative token – or preferably both.

When these mechanisms are layered upon other technologies such

as EMV, transaction and data security increases by many orders of

magnitude. In this session we’ll discuss the benefits and pitfalls of

their interaction, security and deployment.

“This was an excellent

event, with clear and

insightful presentations.

The format worked

extremely well and I went

away feeling it had been

very worthwhile.”

Venue


16

Hilton Financial District

This San Francisco hotel’s incredible

downtown location puts you in the

center of the city, within walking

distance to numerous attractions.

Discover shopping at Union Square,

dining in North Beach, culture

in Chinatown and family fun at

Fisherman’s Wharf, and the perfect

location for ISMG’s Fraud and Breach

Prevention Summit.

Address

Hilton Financial District

750 Kearny Street

San Francisco, CA 94108

Contact

+1-415-433-6600

Global Event Sponsors

17


San Francisco



Cyber Extortion: Fighting DDoS AttacksHow to Defend Against the Surge in Shakedowns

by Mathew Schwartz, Executive Editor, ISMG

CONTENT HIGHLIGHT

Cyber-extortion attacks are on the rise for one

reason: The lure of easy money.

Such attacks often unfold in this way:

Attackers disrupt a site for a short period

with a distributed denial-of-service attack,

send a ransom note threatening further

disruption, and if the ransom doesn’t get paid,

sometimes make good on that threat.

An increasing number of attack groups have

been waging DDoS extortion campaigns

globally, often targeting multiple organizations

in any given sector at once before moving on

to a new sector and starting afresh.

“We have seen a lot of activity in relation

to the ‘DDoS as an extortion’ technique

being used by groups such as the Armada

Collective and also DD4BC,” says Brian

Honan, a Dublin-based information security

consultant who heads Ireland’s computer

emergency response team. DD4BC is short

for “DDoS for Bitcoin,” an extortion racket that

first emerged in July 2014.

Law enforcement agencies continue to

track and sometimes arrest suspected

DDoS extortionists, despite their use of

bitcoins to try to disguise their identity (see

How Do We Catch Cybercrime Kingpins?).

Earlier this month, for example, the EU’s law

enforcement intelligence agency, Europol,

announced that it helped coordinate an

operation that identified “key members of the

organized network” behind DD4BC, located

in Bosnia and Herzegovina, after which both

a “main target” as well as another suspect

were arrested there. But authorities haven’t

released any further details (see Europol

Announces DD4BC Arrests).

It’s unclear just how widespread DDoS

extortion attacks are, says Honan, who’s

also a cybersecurity adviser to Europol. “I

have no sense how many [ransom notes]

are being sent,” he says. “One industry

we have seen as being victims are online

service providers such as email and hosting

providers, e.g. Protonmail in Switzerland,”

Honan says. Protonmail is a Geneva-based

encrypted email service provider that paid 15

bitcoins (about $6,000) this past November to

extortionists, only to have its site get knocked

offline anyway. And banking sector experts

say that financial services firms are among the

most-targeted organizations too.

Extortion Comes in Multiple Forms

Roland Dobbins, a principal engineer at DDoS

defense firm Arbor Networks, notes that

attackers typically employ DDoS extortions

for one of three reasons:

• Profit: Criminals are looking for easy

bitcoins.

• Ideology: Many attacks, Dobbins

says, are ideologically motivated, with

attackers “trying to force the targeted

organization to stop doing something

the attackers find objectionable, or start

doing something the attackers find

desirable.”

• Bickering: Some DDoS extortions are

what he refers to as “intra-miscreant,”

such as rival fraudsters demanding each

others’ credit card dumps.

Dobbins says a ransom demand can range

anywhere from 1 to 100 bitcoins (worth about

$400 to $40,000). In some cases, victims who

have paid the ransom then receive repeat,

increasing ransom demands from the same

extortion gang.

A History of Online Extortion

Using online channels and the threat of

disruption to extort victims isn’t new. In fact,

DDoS extortion attacks date back to the

late 1980s, Dobbins says, when “warez”

gangs - referring to illegal copies of software

- regularly shut down each other’s IRC

channels over petty disputes.

By the mid-1990s, the first packet-flooding

attacks against websites appeared as

attackers threatened further disruption

unless victims paid a ransom via wire transfer,

Dobbins says. By the late 1990s, attackers

focused on niche sites that were least likely

to appeal to authorities, such as online

gambling and adult entertainment sites. And

that continues to an extent today, with attacks

against encrypted email service providers,

bitcoin miners, cryptocurrency exchanges and

even banks, he says.

After temporarily waning, cyberextortion

attacks have surged in recent years, Honan

says, especially those targeting organizations

in the U.S. and Europe. In November 2015, for

example, three Greek banks reported multiple

website disruptions after they refused to

accede to extortionists’ bitcoin demands (see

Greek Banks Face DDoS Shakedown).

19


San Francisco


Responding to DDoS Extortion: 8 Steps

With the threat of DDoS extortion attacks on

the rise, here are seven steps that security

experts recommend organizations pursue to

defend themselves against related threats

and attacks:

• React: Take any extortion threat

seriously. Immediately “spin up” an

incident response team to manage your

organization’s response to any such

attacks or threats.

• Defend: Review DDoS defenses to

ensure they can handle attackers’

threatened load, and, if necessary,

contract with, subscribe to or buy an anti-

DDoS service or tool.

• Alert: Warn the organization’s data

centers and ISPs about the threatened

attack, which they may also be able to

help mitigate.

• Report: Tell law enforcement agencies

about the threat - even if attackers do not

follow through - so they can amass better

intelligence to pursue the culprits.

• Withhold: Never pay attackers, which

encourages repeat - and copycat -

attacks.

• Fallback: If an attack occurs, for its

duration, redirect website users to a

previously unrevealed and pre-prepared

backup site, or else to a ready-made

microsite.

• Review: Continually review and update

business continuity plans to prepare for

any disruption in order to minimize the

impact to the organization’s operations.

• Monitor: Consider implementing some

type of threat-intelligence capability to

track these types of threats.

Paying Ransoms Doesn’t Pay

Regardless of who’s behind any online

extortion attempt - or their motivation -

experts’ advice for dealing with such threats

is clear: “Don’t pay the ransom,” Honan says.

“Anyone we’ve seen or dealt with that has not

paid the ransom, all of them have not had a

subsequent DDoS afterwards.”

By contrast, Arbor’s Dobbins says some

organizations that have paid ransoms have

been subjected to repeat disruptions and

increasing ransom demands. For example,

Protonmail in Switzerland reported that after

its website was knocked offline for about 15

minutes and it received a ransom notice, it

“grudgingly agreed” to pay the ransom after

being pressured by its ISP to do so.

But ProtonMail then got hammered by a

second, much larger DDoS attack anyway,

although officials say no related ransom

note was ever received. The attack not only

knocked ProtonMail offline, but also disrupted

its ISP’s data center and hundreds of its other

downstream customers. “We hoped that by

paying, we could spare the other companies

impacted by the attack against us, but the

attacks continued nevertheless,” ProtonMail

said in a blog post. “This was clearly a wrong

decision.”

Security experts say the right decision for

DDoS ransom-demand victims is to work

with law enforcement authorities. “The

recent [anti-DD4BC] operation and arrests

are a good example of why talking to law

enforcement is a good thing,” Honan says.

“All that information gets shared with Europol,

who then can analyze it and depending

on the results of that analysis set up an

operation.”

But the importance of preparation - including

maintaining logs to understand what normal

network-traffic volumes look like, keeping

all Internet-facing systems fully patched and

working with your ISP and DDoS mitigation

services - cannot be overemphasized,

according to the U.K.’s computer emergency

response team (see The CISO’s Role in

Fighting Extortion).

“As part of normal security measures, liaise

with your ISP or Internet hosting provider so

they can be ready to provide traffic filtering,

IP blocking and additional bandwidth to

help mitigate any disruption,” a CERT-UK

spokesman tells Information Security Media

Group. “In attacks seen so far, upstream

filtering of specific protocols appears to have

been reasonably effective.”

“DDoS extortion

attacks date back

to the late 1980s,

Dobbins says, when

“warez” gangs -

referring to illegal

copies of software -

regularly shut down

each other’s IRC

channels over petty

disputes.”

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com

www.ismgcorp.com/events

Fraud and Breach Prevention Summit 2016

Documents

Fraud and Breach Prevention Summit668781195408a83df63a-e48385e382d2e5d17821a5e1d8e4c86b.r51… · Account Takeover: Where Does the Buck Stop? Our legal and anti-fraud experts will