Upload
nathaniel-owen
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Why is data security so important? How does this impact the ACH
Network? What do the ACH Rules say? Where do ACH transactions go anyway? What are the vulnerabilities? What can we do about them?
In 2008, 9.9 million people were victims of identity theft, up 22% over 2007 Congressional Research Service - May 2009
53 million people (including consumers, employees, students and patients have had data exposed about themselves in a 13 month period Information Week -2006
There were 158 data breaches recorded in 2005, 312 in 2006, and 446 in 2007 Information Week - Jan. 2008
24% of consumers report shopping less online Visa -2006 44 States have enacted some sort of Data Breach Law ABA - 2009 Fraud is now the top reason given for charge backs on several
networks Am. Banker -2006 A hacker was indicted for stealing 130 million credit card numbers
Information Week - August 2009 43.4% of U.S. adults have received a phishing e-mail and almost
5% of those attacks are successful First Data Report – 2006 The FBI’s Internet Fraud Crime Report recorded 207,492 complaint
submissions in 2006
Failures Of Business to Protect Consumers:◦ Network Solutions had a group of hackers break into their Web Servers and
steal 573,000debit and credit card numbers in July of 2009.◦ Suncoast Schools Federal Credit Union is reissuing 56,000 debit cards after
the just recently determined that the Heartland breach had affected them.◦ University of North Dakota had a computer stolen in Charleston (last year!)
with the personal records of over 84,000 donors. This was reported in June, 2009. ◦ Aetna had a breach resulting from a Spam campaign that included the loss of
65,000 Social Security numbers. They are being sued! (class action) – May, 2009.◦ Virginia Department of Health along with the FBI and the Virginia State Police
are searching for hackers who demanded a $10 Million ransom for return of medical prescription records (many including SS#’s) on 530,000 individuals – May 2009
◦ Checkfree had 160,000 consumer bill payment accounts exposed out of 5 million – they don’t know which ones! – Jan. 2009
◦ And don’t forget: Ameritrade - 200,000 personal records LexisNexis - 310,000 potential victims Bank of America - missing over a million records ChoicePoint, DSW, HSBC, TJX, Hannaford, Certegy………………………….
TJX – 45.7 Million C.C. records, costs are in the 100’s of millions
ChoicePoint – $15 Million in losses Hannaford Bros. – 4.2 Million records stolen, 1,800 cases of
Fraud reported Certegy – 8.5 Million records compromised – internally
generated Heartland – over 200 financial institutions affected, well
over 1 million consumers Only three financial institution breaches so far this year
(not counting Heartland) – there were twelve last year (privacyrights.org)
Business◦ Employee dishonesty◦ Poor controls (access, dual controls, storage)◦ Faulty or old hardware and/or software◦ Inappropriate internal security◦ Poor, or no encryption◦ Whaling, spear-phishing ◦ Bad or no security policies
Consumer◦ Phishing, pharming, etc.◦ Family dishonesty◦ Inappropriate downloads ◦ No or old virus software, anti-spyware, firewalls, etc.
6
PCI-DSS for cards ACH Rules include some requirements for
ACH Wire is through Federal Reserve Circulars Paper???????
◦ Image/RDC – Depends on the network or vendor
8
SettlementNetwork
Processor
Acquirer
IssuerBusinessOrganization
MerchantCardholder
AuthorizationPosting
Dollars
9
Developed from the VISA Digital Dozen:1. Install and maintain a firewall configuration to
protect cardholder data2. Do NOT use vendor-supplied defaults for system
passwords and other security parameters3. Protect stored cardholder data4. Encrypt transmission of cardholder data across
open, public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and
applications
10
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access to data
9. Restrict physical assess to cardholder data10. Track and monitor all access to network
resources and cardholder data11. Regularly test security systems and
processes12. Maintain a policy that addresses information
security
11
Most fraud is in the payments area (check, C.C. debit card, etc.)
ACH is the fastest growing payment network All that’s needed is an ENTRY point TEL in 2003
◦ Return rates in the 50% range◦ Unauthorized rates close to 15%
UCC 4A requirement – Commercially Reasonable Security Procedures between the ODFI and originator
Operator security requirements (encryption and access)
Limited access – YOU HAVE TO HAVE A FINANCIAL INSTITUTION THAT AGREES TO ORIGINATE FOR YOU!!!
15
In “standard” ACH products very limited◦ Access to the network s/b difficult if ODFI/Co. is managing their risk
appropriately (KNOW YOUR CUSTOMER!!)
Electronic Check Products◦ ARC – Limited loss potential (why would someone else pay my bill?)◦ RCK – Item has already been returned, but only for NSF or uncollected
funds – limited liability◦ POP – Significant potential for loss
For spontaneous purchases at the point of sale Check given back to the consumer Signature required on a separate authorization Fraudster has the evidence NO reasonable fraud management processes in place to date
◦ BOC – Mix of ARC and POP from a vulnerability standpoint
WEB – ◦ Fraudulent merchants◦ Consumers using fraudulent payment data◦ Poor authentication procedures
TEL – ◦ Fraudulent merchants◦ Consumers using fraudulent payment data◦ Incomplete verification processes
Section 1.6 – Transmission of ACH Information Via Unsecured Electronic Networks◦ 128-bit RC4 encryption for all ACH data that is transmitted
or exchanged between any and all parties
Section 2.11.2.5 – WEB Annual Audit◦ Physical Security◦ Personnel and Access Controls◦ Network Security
Physical◦ Who has access to the terminals used to support your on-line
banking?◦ How do they “get” into the space to access their terminal?◦ What policies and procedures are in place to ensure your space is
secure?◦ Where is your data stored and how secure is that space?◦ If information is printed, where is that stored, when is it destroyed?◦ Do you have Uninterruptible Power Supplies installed?◦ Consider closed circuit TV’s or other monitoring devices
Network◦ Virus software◦ Firewalls◦ Disable all unused ports◦ Automatic log-outs after a certain amount of inactivity◦ Change all vendor supplied passwords (administrator, password, etc.)◦ Encrypt all data when moved and when stored◦ Use a VPN whenever possible◦ Install updates as soon as they are published
Personnel and Access Controls◦ Password Controls
Changed on a regular basis Of a specified length and character type Specify HOW they are kept secure
◦ Key fob’s (the ARE responsible for their FOB!)◦ Biometric devices◦ Personnel screening when hiring is done◦ Dual control on all processes that require handling of
sensitive information◦ Establish a security policy and have each employee
read and sign that they have read it◦ Have an employee awareness training program (they
need to know you care…..and that you are watching
ACH Network Data Security Self Assessment Workbook◦ Began with a review of the VISA digital dozen◦ Key sections in the workbook
Computing your Information Risk Profile (questionnaire based – borrowed from PCI)
Controls for high to medium risk originators Controls for low risk originators Case studies and checklists
TIC looked at where we have security built in and where we do not
Project looked at ACH transactions end-to-end◦ Receivers information at authorization ◦ Movement of data from ODFI to ACH operator to
RDFI for posting◦ Third party involvement◦ Data at rest (during storage and then destruction)
HOW is the information moved? How is it stored at each point?
◦ How long does each point retain the information? What data is moved? What data is stored? Where is that data, and in how many forms
or formats? How is that data finally destroyed?
Verification of who you’re doing business with – makes fraud or a breach much less likely…..so how do you authenticate?
Face-to-face:◦ Drivers License, passport, Gov’t ID card, biometric
Virtual:◦ User ID, Password, token, Digital Certificate
Source: BetterBuyDesign, 2001
A number of authentication methods were tested in the recent past, but per-installed user costs have proved too daunting for most
Biometrics
Smartcard/Secure PinPad/
Certs
Mag-stripe/Secure PINPad/
Certs
Mag-stripe/Secure PINPad
PKI in SoftwareCerts
CD/ROM
PKI in Software/Password
PKI in Software/Password +
Password Access/ATM Register
RSA SecurID/Pswd/PIN
Low Level of Security High
$75
InstallCost/User
$0
Smartcard/Secure PINpad
PKI
2001-2002Zone ofAcceptance
EncryptedHash TxnID
Biometrics
Smartcard/Secure PinPad/
Certs
Mag-stripe/Secure PINPad/
Certs
Mag-stripe/Secure PINPad
PKI in SoftwareCerts
CD/ROM
PKI in Software/Password
3-D-Secure
Password Access/
RSA SecurID/Pswd/PIN
Low Level of Security High
$45
InstallCost/User
$0
Smartcard/Secure PINpad
PKI
2005Zone ofAcceptance
Source: BetterBuyDesign, 2001
Yet there were no real changes in the mix—just a proliferation of “would-be” alternatives that have yet to achieve any real traction
EncryptedHash TxnID
Machine andDevice IDs
Host-suppliedencryption
Information Fraud: Sensitive Information Movement
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WW Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer Portal
Security is a TOTAL System, Process, and Procedure Issue!!
28
Information Fraud: Specific Risks
NetworkNetwork
Media TheftMedia TheftDevice TheftDevice Theft
TakeoverTakeover
FraudFraud
InterceptIntercept
File Server
EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer portal
Media LossMedia Loss
UnauthorizedAccess
UnauthorizedAccess
DOSDOS
CorruptionCorruption
UnavailabilityUnavailability
EavesdroppingEavesdropping
Data TheftData Theft
Remote Employees
WW Partners
Data LossData Loss
Device LossDevice Loss
Unintentional Distribution
Unintentional Distribution
UnauthorizedAccess
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
UnauthorizedActivity
29
For every step taken to secure data the hacking community will find a vulnerability
Our job; keep one step ahead! Know your customer, and your customers
customer’s (KYC) Have good technical resources available Strong policies and procedures internally Employee training, and more training!!
Fred Laing, IIUMACHA7100 Northland Circle, Suite 407Brooklyn Park, MN 55428(763) [email protected]