Financial Data ProtectionFinancial Data Protection

Financial Data ProtectionFinancial Data Protection

Financial Data is an Asset??!! Financial Data is an Asset??!! The CompromiseThe Compromise Your Bank’s Security Your Bank’s Security The Weakest LinkThe Weakest Link Solutions for SafetySolutions for Safety

Our Most Valuable Asset……. Our Most Valuable Asset……. Before the InternetBefore the Internet

Today’s Valuable Assets Today’s Valuable Assets

Personal Financial Data =

What is Financial Data?What is Financial Data?

SSN# and DOBSSN# and DOB AddressAddress Mother’s Maiden nameMother’s Maiden name Credit / Debit card and Account numbers Credit / Debit card and Account numbers User Name and Passwords User Name and Passwords Drivers license or identification numbersDrivers license or identification numbers Check InformationCheck Information

How is Data Compromised?How is Data Compromised?POS / ATM SkimmingPOS / ATM Skimming

How is Data Compromised?How is Data Compromised?

POS / ATM SkimmingPOS / ATM Skimming

How is Data Compromised?How is Data Compromised?

Data Breach - HeadlinesData Breach - HeadlinesTJX - Between 47 and 200 Million Cards TJX - Between 47 and 200 Million Cards

CompromisedCompromised• Weak encryption on TJX’s wireless network Weak encryption on TJX’s wireless network

allowed the theft of card information.allowed the theft of card information.

26.5 Million Veteran’s personal records 26.5 Million Veteran’s personal records exposedexposed • An employee’s computer was stolen containing An employee’s computer was stolen containing

unencrypted information on 26.5 million unencrypted information on 26.5 million people. The information included names, social people. The information included names, social security numbers, date of birth and other security numbers, date of birth and other personally identifiable information personally identifiable information

How is Data Compromised?How is Data Compromised?

Internet UsageInternet Usage• Viruses, Malware & KeyloggersViruses, Malware & Keyloggers• Man in the Middle Man in the Middle • Man in the browserMan in the browser• Social NetworkingSocial Networking

GamesGames Video linkVideo link

The Reality of Computer SecurityThe Reality of Computer Security

22.7 million computers scanned22.7 million computers scanned48.35% compromised48.35% compromised

A micro study of 10,000 computers A micro study of 10,000 computers • 55% of computers equipped with up to date 55% of computers equipped with up to date

antivirus and security software, were not antivirus and security software, were not able to detect and remove the Zeus virus able to detect and remove the Zeus virus

• 14% had antivirus that was not up to date 14% had antivirus that was not up to date • 31% did not have antivirus at all 31% did not have antivirus at all

Source: APWG Q3, 2009 ReportSource: APWG Q3, 2009 Report

How is Data Compromised?How is Data Compromised?

Email and PhoneEmail and Phone• Phishing / VishingPhishing / Vishing• Data Leakage Data Leakage • Clicking on links in text messages or Clicking on links in text messages or

emailemail• Nigerian fraud / money mulesNigerian fraud / money mules

What do they do with it? What do they do with it?

Account Take OverAccount Take Over Check Fraud Check Fraud Credit / Debit Fraud Credit / Debit Fraud Identity Theft Identity Theft

• Take out loans Take out loans • Open deposit accounts Open deposit accounts • Apply for credit cards Apply for credit cards

Account TakeoverAccount Takeover

Fraudster hacks into your PC Fraudster hacks into your PC Downloads malware such as a keylogger Downloads malware such as a keylogger

to gain your online log on credentialsto gain your online log on credentials Logs on with complete access to your Logs on with complete access to your

account information and featuresaccount information and features Sets up a new payee and initiates a Sets up a new payee and initiates a

transfer of funds via ACH or Wiretransfer of funds via ACH or Wire The money is sent to the money mule and The money is sent to the money mule and

is then emptied and abandoned is then emptied and abandoned

Online banking Online banking “just makes life simpler”“just makes life simpler”

Internet Usage in 2010 was 36%Internet Usage in 2010 was 36% Internet Usage in 2011 was 62%Internet Usage in 2011 was 62%

Source: ABA surveySource: ABA survey

Your Bank’s Security ObligationsYour Bank’s Security Obligations

Gramm Leach Bliley Gramm Leach Bliley Act “GLBA” Act “GLBA” (Customer) 1999(Customer) 1999

FFIEC Internet FFIEC Internet Authentication Authentication GuidanceGuidance2005 & 20112005 & 2011

MA 201 CMR 17.00 MA 201 CMR 17.00 Mass Residents - 2010Mass Residents - 2010

Minimum Standards of ProtectionMinimum Standards of Protection

GLBA & MA 201 CMR 17GLBA & MA 201 CMR 17 Anti Virus SoftwareAnti Virus Software Anti Spam SoftwareAnti Spam Software Patching Patching Software UpgradesSoftware Upgrades Penetration TestingPenetration Testing Vulnerability TestingVulnerability Testing AuditingAuditing FirewallsFirewalls Web FiltersWeb Filters Annual TrainingAnnual Training Vendor ManagementVendor Management

Secured StorageSecured Storage Password Password

RequirementsRequirements EncryptionEncryption Policies & ProceduresPolicies & Procedures Provide Encrypted Provide Encrypted

Removable Media Removable Media Computer LogsComputer Logs Document shredding Document shredding Secured trash disposalSecured trash disposal Secure Email Secure Email

FFIEC Internet Authentication GuidanceFFIEC Internet Authentication Guidance Current Security Current Security

• Reverse PhishingReverse Phishing• Multi Factor Authentication (device ID - cookie)Multi Factor Authentication (device ID - cookie)• Challenge Questions at Log InChallenge Questions at Log In

New security New security • Complex Device IdentificationComplex Device Identification• Complex Challenge Questions Complex Challenge Questions • Layered security for high risk transactionsLayered security for high risk transactions

Detect and respond to anomalous/suspicious Detect and respond to anomalous/suspicious activity at log in and transaction levelactivity at log in and transaction level

Out of band authenticationOut of band authentication• Dual Control, Isolated PC for Online BankingDual Control, Isolated PC for Online Banking

What makes us the weakest link?What makes us the weakest link?

There is an inverse relationship between

convenience (ease-of-use) and security.

As you increase security, you lose

convenience.

Convenience

Security

What Makes Us the Weakest Link? What Makes Us the Weakest Link?

Easily guessed passwords Easily guessed passwords • Too short, too simple, common wordsToo short, too simple, common words

Not keeping secretsNot keeping secrets• Writing passwords down, sending Writing passwords down, sending

confidential data in e-mailsconfidential data in e-mails Trusting things we get from othersTrusting things we get from others

• Opening email attachments, clicking on Opening email attachments, clicking on linkslinks

Social EngineeringSocial Engineering

Is the art of Is the art of manipulating manipulating people into people into performing performing actions or actions or divulging divulging

confidential confidential informationinformation

What do you have that they want?What do you have that they want?

MoneyMoney Customer InformationCustomer Information Employee InformationEmployee Information Business Information Business Information Access to SystemsAccess to Systems Why do they want access to Why do they want access to

Systems?Systems?

Social Networking Social Networking DangerDanger

http://www.youtube.com/watch?http://www.youtube.com/watch?v=ASV25lLoROg&feature=relatedv=ASV25lLoROg&feature=related

Social Networking Social Networking DangerDangerPhone profile and friend requestPhone profile and friend request (phishing attempt) (phishing attempt) 43% accepted the friend request 43% accepted the friend request 72% gave email address72% gave email address 84% gave full DOB84% gave full DOB 87% gave details about workplace or education87% gave details about workplace or education 78% listed current address or location78% listed current address or location 23% listed current phone number23% listed current phone number 26% provided their IM screen name 26% provided their IM screen name

In most cases, access to photos, likes, dislikes, hobbies, employer In most cases, access to photos, likes, dislikes, hobbies, employer detail and other personal information was also accessed. detail and other personal information was also accessed.

Source: Sophos YouTube video – Identity theft made easySource: Sophos YouTube video – Identity theft made easy

The Risk of ConvenienceThe Risk of Convenience

Analysis of 32 million passwords stolenAnalysis of 32 million passwords stolen• 20% or 20% or 6.4 million6.4 million used only used only 50005000 different different

passwords!passwords!

#1#1 123456 (used 290,731 times) 123456 (used 290,731 times)

#2#2 12345 12345

#3#3 123456789 123456789

#4#4 password password

#5#5 iloveyou iloveyou

Source: ImpervaSource: Imperva

StrongStrong Passwords PasswordsLong passwords, mixing letters, numbers, Long passwords, mixing letters, numbers,

and symbols are tough to crack. Best and symbols are tough to crack. Best passwords are memorable but hard to passwords are memorable but hard to

type! type! • 8 Characters long8 Characters long• Contains Upper and Lower case lettersContains Upper and Lower case letters• Contain at least one number or special Contain at least one number or special

charactercharacter• Is not a dictionary word in any languageIs not a dictionary word in any language• Cannot be easily guessedCannot be easily guessed• Changed every 90 daysChanged every 90 days• Don’t tell anyone your passwordDon’t tell anyone your password• Don’t write your password down anywhereDon’t write your password down anywhere

Mnemonics Mnemonics Made Easy Made Easy

““Water, water everywhere and not a Water, water everywhere and not a drop to drink” (Rhyme of the Ancient drop to drink” (Rhyme of the Ancient Mariner) converts to Mariner) converts to Wwe&nadtdWwe&nadtd..

““We Three Kings from Orient Are” We Three Kings from Orient Are” converts to converts to w3KfOr3691w3KfOr3691. .

Strong PasswordsStrong Passwords

http://www.youtube.com/watch?http://www.youtube.com/watch?v=ap6QnMv0fBo&feature=relatedv=ap6QnMv0fBo&feature=related

Security Measures Security Measures

Review accounts frequentlyReview accounts frequently Be suspicious of emails and linksBe suspicious of emails and links Sign up for alerts Sign up for alerts Never register a foreign computerNever register a foreign computer Note the https Note the https Note the banks web addressNote the banks web address Save any shortcuts under a fake Save any shortcuts under a fake

namename

Online Banking Security Online Banking Security

http://www.youtube.com/watch?http://www.youtube.com/watch?v=mWNEoBIxhSsv=mWNEoBIxhSs

Identity Theft Red FlagsIdentity Theft Red Flags

You order new checks or a debit card You order new checks or a debit card and never receive themand never receive them

You see unauthorized activity on You see unauthorized activity on your account or credit reportyour account or credit report

You receive a change of address You receive a change of address notice from your bank notice from your bank

You begin to receive calls for debt You begin to receive calls for debt collectioncollection

Additional Security Measures Additional Security Measures Guard SSN, DOB, Mother’s Maiden NameGuard SSN, DOB, Mother’s Maiden Name Guard your mailboxGuard your mailbox Sign up for electronic statementsSign up for electronic statements Take your receipts (ATM, Debit, Credit)Take your receipts (ATM, Debit, Credit) Order your credit report annually Order your credit report annually

• Equifax, Experian, TransUnionEquifax, Experian, TransUnion• www.annualcreditreport.comwww.annualcreditreport.com

Shred, Shred, ShredShred, Shred, Shred

Identify Theft PreventionIdentify Theft Prevention

http://www.youtube.com/watch?http://www.youtube.com/watch?v=H35DASgwPZc&feature=relatedv=H35DASgwPZc&feature=related

Online Security Online Security

There is an inverse relationship between

convenience (ease-of-use) and security.

As you increase security, you lose

convenience.

Convenience

Security

In order to In order to WINWIN, we need to , we need to be be perfectperfect. For the . For the

malicious party to win, malicious party to win, they need only to they need only to exploit exploit

one mistakeone mistake..

Resources Resources

Identify Theft information – ESB Identify Theft information – ESB • http://www.bankesb-idtheft.com/home.htmhttp://www.bankesb-idtheft.com/home.htm

Fraud Advisory for Businesses: Corporate Account Take Fraud Advisory for Businesses: Corporate Account Take Over (FBI, USSS, IC3, FS-SIAC)Over (FBI, USSS, IC3, FS-SIAC)• http://www.ic3.gov/media/2010/corporateaccounttakeover.pdfhttp://www.ic3.gov/media/2010/corporateaccounttakeover.pdf

Fighting back against Identify Theft (FTC)Fighting back against Identify Theft (FTC)• http://www.ftc.gov/bcp/edu/microsites/idtheft/http://www.ftc.gov/bcp/edu/microsites/idtheft/

FBI Scams and Safety FBI Scams and Safety • http://www.fbi.gov/scams-safety/http://www.fbi.gov/scams-safety/

Better Business Bureau –Data Security made simplerBetter Business Bureau –Data Security made simpler• http://www.bbb.org/data-security/Data-Security-Made-http://www.bbb.org/data-security/Data-Security-Made-

Simpler.pdfSimpler.pdf Onguard Online – Consumer protection (FTC)Onguard Online – Consumer protection (FTC)

• http://onguardonline.gov/http://onguardonline.gov/ Bureau of Consumer Protection – BusinessBureau of Consumer Protection – Business

http://business.ftc.gov/http://business.ftc.gov/