Most contentious privacy and governance topics mobile/location data

For Payments, the Best Offense is a Multi-Tiered Security and Policy-Based DefenseDan Miner, CTP General Manager, Treasury Services, 3Delta Systems

Friday, June 8, 201210:10 11:00 AMPlaza BLEGAL DISCLAIMER Nothing we discuss today constitutes legal advice. For any specific questions, seek the independent advice of your attorney. Furthermore, lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsumautem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla facilisis at vero eros lorem ipsum. Lorem duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie on sequat, vel illum dolore eu feugiat nulla

Consumerization of the WorkspaceData: anywhere, anytime on any deviceDevicesTablet PCsSmart phonesHome systems used to access work assetsBYODAngry Birds, anyone? Fun. Harmless (probably)How about DroidDream? Social MediaUsed as a recon base for phishers

The Fine and Ancient Art of PhishingI dont think I bought this.

Oh, NO! My Google Adwords have stopped working.

Better get right on that!And, Now I Am Getting Sued (by illiterates).

Trough?And, I cant even get paidFrom:payments@nacha.org [mailto:payments@nacha.org]Sent: Tuesday, February 22, 2011 7:32 AMTo: Doe, JohnSubject: ACH transaction rejected

The ACH transaction, recently sent from your checking account (by you or any other person), was cancelled by the Electronic Payments Association.

Please click here to view report------------------------------------------------------------------

Otto Tobin,Risk Manager= = = = = = = = = = = = = = = = = = =

Compromises At All-Time HighMore breaches, less stolen data?Number of breaches almost doubled since 2010 Verizon Data Breach ReportHowever, record loss decreases361 million >> 144 million >> 4 million

Verizon 2011 Data Breach Investigations ReportCompromises At All-Time HighIt appears that cybercriminals are currently satisfied with compromising Point-of-Sale (POS) systems and performing account takeovers and Automated Clearing House (ACH) transaction fraud. There has been an increase in these areas in 2010. In relation to prior years, it appeared that there were more data breaches in 2010, but the compromised data decreased due to the size of the compromised companys databases. This shows willingness in the cybercriminal underground to go after the smaller, easier targets that provide them with a smaller yet steady stream of compromised data.

Verizon 2011 Data Breach Investigations ReportCompromises At All-Time HighTheres been a noticeable increase in account takeovers. This can be directly related to the continued rise of the Zeus Trojan and other malware variants created to capture login credentials to financial websites. These account takeovers result in fraudulent transfers from the victims account to an account under the control of the perpetrator.Verizon 2011 Data Breach Investigations ReportIncreased Scrutiny and Liability Data Collection/UseExplosion in use of mobile phones and apps has led to increased scrutiny of how providers and application developers are collecting, using and sharing mobile data.WSJ articles and high-profile breaches spawned a series of congressional inquiries and hearings regarding companies data collection, use and sharing practices.August 2010 Congress asked 15 companies re: online behavioral trackingOctober 2010 Congress asked Facebook re: sending user identifiers to app developersApril 2011 Congress asked Apple re: location data on iPhones and iPadsMay 2011 Sen. Franken sent letters to Apple and Google asking companies to require all apps for Apples iOS and Googles Android OS have privacy policiesLegislative and Regulatory ActivityPending cybersecurity bills in last Congress numbered over 45 and many (at least 42) already pending in the 112th Congress, includingCybersecurity and Internet Freedom Act of 2011 (S.413)S. 21 - Cyber Security and American Cyber Competitiveness Act of 2011S. 1151 Personal Data Privacy and Security Act of 2011S. 1223 Location Privacy Protection Act of 2011S. 1408 Data Breach Notification Act of 2011S. _____ Cloud Computing Act of 2011S. _____ Legislation on Securing the U.S. Electrical GridH.R. 174 - Homeland Security Cyber and Physical Infrastructure Protection ActH.R. 2096 Cybersecurity Enhancement Act of 2011H.R. 2577 Secure and Fortify Electronic (SAFE) Data Act

13Legislative and Regulatory ActivityRegulatoryOCC Guidance re application security (OCC 2008-16)HIPAA Security Rule updates (NIST 800-66)Proposed FTC Privacy Framework (December 1, 2010)International: EU Cookie LawFFIEC Guidance supplement to the Authentication in an Internet Banking Environment guidance

14Selected Litigation ExampleExperi-metal v. Comerica (2011). Successful phishing attack led to over $9MM in fraudulent transfers; lawsuit by business against bank; judge rules for business stating [t]his trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.

15PCI DSS Penalties for Non-ComplianceFailure to comply (or certify compliance) with the PCI DSS may result in finesFines for non-compliance can be up to $5K - $10K per monthIf you have a data breach and are not PCI-compliant, fines can be as high as $500K (MasterCard) or $750K (VISA)Merchants may also be responsible for any fraudulent charges resulting from the breach and the costs of re-issuing any cards compromised during the breachIn theory, you can be precluded from accepting credit/debit cards if your compliance deficiencies are bad enough

FFIEC Guidance SummaryNot every online transaction poses the same level of risk.Retail/Consumer Banking: Since the frequency and dollar amounts of these transactions are generally lower than commercial transactions, they pose a comparatively lower level of risk. Business/Commercial Banking: Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer. FFIEC Guidance SummaryFinancial institutions should implement layered security, utilizing controls consistent with the increased level of risk for covered business transactions. Recommend that institutions offer multifactor authentication to their business customers. FFIEC Layered Defense Suggestions Technical Countermeasures Emphasize Enhanced Authentication

Dual customer authorization through different access devicesOut-of-band verification for transactions"Positive pay," debit blocks, and other techniques to appropriately limit the transactional use of the accountInternet protocol [IP] reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities

FFIEC Layered Defense SuggestionsPolicy/Activity-Based Countermeasures Emphasize Usage Management

Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution responseEnhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day and allowable payment windows [e.g., days and times]

FFIEC Layered Defense SuggestionsPolicy/Activity-Based Countermeasures Emphasize Usage Management (cont.)

Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraudEnhanced control over changes to account maintenance activities performed by customers either online or through customer service channelsEnhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk

Layered Security ModelBegin with the assumption your clients systems are compromised.Can you do business? Contemporary systems are being developed to robustly and repeatedly answer:Who are you? (Authentication)Where can you go in the system? (Authorization)What can you see when you get there? (Authorization)What can you do when you get there? (Authorization)Layered Security ModelAnd allow these rights and permissions to be assigned at various levels through the organization with vigorous logging and auditing capability (Accounting)Layered Security Model:Data TokenizationInvestigate new methods of reducing risk such as data tokenization as means of removing the valuable and risky data from systemsValuable data is replaced by value-less data: Credit card number 4111 1111 2222 3333 is replaced by PG43J74F or otherwise useless-to-the-criminal valuesTokenization reduces the scope of PCI efforts as the presence of a cardholder data environment can be reduced or eliminated

Why do ants show up at a picnic? Its where the food is.SummaryCorporate risk management is really getting interestingThe number of devices and systems that directly or indirectly access financial systems are exploding and innovation is outstripping controlsCriminal malware is very good, very prevalent, and very hard to detectAccount takeover cases are exploding

Summary (cont.)Legal and regulatory consequences and impacts on corporate operations are numerous, complex and ambiguous. Rights and responsibilities are still being defined.Corporate as a consumer of banking / financial servicesCorporate as the provider of systems to its customersLayered security and control models emphasizing multiple measures and countermeasures are the recommended solution

Questions / Discussion

PresenterDan Miner, CTPGeneral Manager, Treasury Services3Delta Systems, Inc.Dan.Miner@3DSI.com(w) 703.234.6016

www.3DSI.com