The Constitutional Convention (1787) Compromise, Compromise, Compromise!!!
Financial Data Protection. Financial Data is an Asset??!! Financial Data is an Asset??!! The...
-
Upload
buddy-willis -
Category
Documents
-
view
216 -
download
0
Transcript of Financial Data Protection. Financial Data is an Asset??!! Financial Data is an Asset??!! The...
Financial Data ProtectionFinancial Data Protection
Financial Data ProtectionFinancial Data Protection
Financial Data is an Asset??!! Financial Data is an Asset??!! The CompromiseThe Compromise Your Bank’s Security Your Bank’s Security The Weakest LinkThe Weakest Link Solutions for SafetySolutions for Safety
Our Most Valuable Asset……. Our Most Valuable Asset……. Before the InternetBefore the Internet
Today’s Valuable Assets Today’s Valuable Assets
Personal Financial Data =
What is Financial Data?What is Financial Data?
SSN# and DOBSSN# and DOB AddressAddress Mother’s Maiden nameMother’s Maiden name Credit / Debit card and Account numbers Credit / Debit card and Account numbers User Name and Passwords User Name and Passwords Drivers license or identification numbersDrivers license or identification numbers Check InformationCheck Information
How is Data Compromised?How is Data Compromised?POS / ATM SkimmingPOS / ATM Skimming
How is Data Compromised?How is Data Compromised?
POS / ATM SkimmingPOS / ATM Skimming
How is Data Compromised?How is Data Compromised?
Data Breach - HeadlinesData Breach - HeadlinesTJX - Between 47 and 200 Million Cards TJX - Between 47 and 200 Million Cards
CompromisedCompromised• Weak encryption on TJX’s wireless network Weak encryption on TJX’s wireless network
allowed the theft of card information.allowed the theft of card information.
26.5 Million Veteran’s personal records 26.5 Million Veteran’s personal records exposedexposed • An employee’s computer was stolen containing An employee’s computer was stolen containing
unencrypted information on 26.5 million unencrypted information on 26.5 million people. The information included names, social people. The information included names, social security numbers, date of birth and other security numbers, date of birth and other personally identifiable information personally identifiable information
How is Data Compromised?How is Data Compromised?
Internet UsageInternet Usage• Viruses, Malware & KeyloggersViruses, Malware & Keyloggers• Man in the Middle Man in the Middle • Man in the browserMan in the browser• Social NetworkingSocial Networking
GamesGames Video linkVideo link
The Reality of Computer SecurityThe Reality of Computer Security
22.7 million computers scanned22.7 million computers scanned48.35% compromised48.35% compromised
A micro study of 10,000 computers A micro study of 10,000 computers • 55% of computers equipped with up to date 55% of computers equipped with up to date
antivirus and security software, were not antivirus and security software, were not able to detect and remove the Zeus virus able to detect and remove the Zeus virus
• 14% had antivirus that was not up to date 14% had antivirus that was not up to date • 31% did not have antivirus at all 31% did not have antivirus at all
Source: APWG Q3, 2009 ReportSource: APWG Q3, 2009 Report
How is Data Compromised?How is Data Compromised?
Email and PhoneEmail and Phone• Phishing / VishingPhishing / Vishing• Data Leakage Data Leakage • Clicking on links in text messages or Clicking on links in text messages or
emailemail• Nigerian fraud / money mulesNigerian fraud / money mules
What do they do with it? What do they do with it?
Account Take OverAccount Take Over Check Fraud Check Fraud Credit / Debit Fraud Credit / Debit Fraud Identity Theft Identity Theft
• Take out loans Take out loans • Open deposit accounts Open deposit accounts • Apply for credit cards Apply for credit cards
Account TakeoverAccount Takeover
Fraudster hacks into your PC Fraudster hacks into your PC Downloads malware such as a keylogger Downloads malware such as a keylogger
to gain your online log on credentialsto gain your online log on credentials Logs on with complete access to your Logs on with complete access to your
account information and featuresaccount information and features Sets up a new payee and initiates a Sets up a new payee and initiates a
transfer of funds via ACH or Wiretransfer of funds via ACH or Wire The money is sent to the money mule and The money is sent to the money mule and
is then emptied and abandoned is then emptied and abandoned
Online banking Online banking “just makes life simpler”“just makes life simpler”
Internet Usage in 2010 was 36%Internet Usage in 2010 was 36% Internet Usage in 2011 was 62%Internet Usage in 2011 was 62%
Source: ABA surveySource: ABA survey
Your Bank’s Security ObligationsYour Bank’s Security Obligations
Gramm Leach Bliley Gramm Leach Bliley Act “GLBA” Act “GLBA” (Customer) 1999(Customer) 1999
FFIEC Internet FFIEC Internet Authentication Authentication GuidanceGuidance2005 & 20112005 & 2011
MA 201 CMR 17.00 MA 201 CMR 17.00 Mass Residents - 2010Mass Residents - 2010
Minimum Standards of ProtectionMinimum Standards of Protection
GLBA & MA 201 CMR 17GLBA & MA 201 CMR 17 Anti Virus SoftwareAnti Virus Software Anti Spam SoftwareAnti Spam Software Patching Patching Software UpgradesSoftware Upgrades Penetration TestingPenetration Testing Vulnerability TestingVulnerability Testing AuditingAuditing FirewallsFirewalls Web FiltersWeb Filters Annual TrainingAnnual Training Vendor ManagementVendor Management
Secured StorageSecured Storage Password Password
RequirementsRequirements EncryptionEncryption Policies & ProceduresPolicies & Procedures Provide Encrypted Provide Encrypted
Removable Media Removable Media Computer LogsComputer Logs Document shredding Document shredding Secured trash disposalSecured trash disposal Secure Email Secure Email
FFIEC Internet Authentication GuidanceFFIEC Internet Authentication Guidance Current Security Current Security
• Reverse PhishingReverse Phishing• Multi Factor Authentication (device ID - cookie)Multi Factor Authentication (device ID - cookie)• Challenge Questions at Log InChallenge Questions at Log In
New security New security • Complex Device IdentificationComplex Device Identification• Complex Challenge Questions Complex Challenge Questions • Layered security for high risk transactionsLayered security for high risk transactions
Detect and respond to anomalous/suspicious Detect and respond to anomalous/suspicious activity at log in and transaction levelactivity at log in and transaction level
Out of band authenticationOut of band authentication• Dual Control, Isolated PC for Online BankingDual Control, Isolated PC for Online Banking
What makes us the weakest link?What makes us the weakest link?
There is an inverse relationship between
convenience (ease-of-use) and security.
As you increase security, you lose
convenience.
Convenience
Security
What Makes Us the Weakest Link? What Makes Us the Weakest Link?
Easily guessed passwords Easily guessed passwords • Too short, too simple, common wordsToo short, too simple, common words
Not keeping secretsNot keeping secrets• Writing passwords down, sending Writing passwords down, sending
confidential data in e-mailsconfidential data in e-mails Trusting things we get from othersTrusting things we get from others
• Opening email attachments, clicking on Opening email attachments, clicking on linkslinks
Social EngineeringSocial Engineering
Is the art of Is the art of manipulating manipulating people into people into performing performing actions or actions or divulging divulging
confidential confidential informationinformation
What do you have that they want?What do you have that they want?
MoneyMoney Customer InformationCustomer Information Employee InformationEmployee Information Business Information Business Information Access to SystemsAccess to Systems Why do they want access to Why do they want access to
Systems?Systems?
Social Networking Social Networking DangerDanger
http://www.youtube.com/watch?http://www.youtube.com/watch?v=ASV25lLoROg&feature=relatedv=ASV25lLoROg&feature=related
Social Networking Social Networking DangerDangerPhone profile and friend requestPhone profile and friend request (phishing attempt) (phishing attempt) 43% accepted the friend request 43% accepted the friend request 72% gave email address72% gave email address 84% gave full DOB84% gave full DOB 87% gave details about workplace or education87% gave details about workplace or education 78% listed current address or location78% listed current address or location 23% listed current phone number23% listed current phone number 26% provided their IM screen name 26% provided their IM screen name
In most cases, access to photos, likes, dislikes, hobbies, employer In most cases, access to photos, likes, dislikes, hobbies, employer detail and other personal information was also accessed. detail and other personal information was also accessed.
Source: Sophos YouTube video – Identity theft made easySource: Sophos YouTube video – Identity theft made easy
The Risk of ConvenienceThe Risk of Convenience
Analysis of 32 million passwords stolenAnalysis of 32 million passwords stolen• 20% or 20% or 6.4 million6.4 million used only used only 50005000 different different
passwords!passwords!
#1#1 123456 (used 290,731 times) 123456 (used 290,731 times)
#2#2 12345 12345
#3#3 123456789 123456789
#4#4 password password
#5#5 iloveyou iloveyou
Source: ImpervaSource: Imperva
StrongStrong Passwords PasswordsLong passwords, mixing letters, numbers, Long passwords, mixing letters, numbers,
and symbols are tough to crack. Best and symbols are tough to crack. Best passwords are memorable but hard to passwords are memorable but hard to
type! type! • 8 Characters long8 Characters long• Contains Upper and Lower case lettersContains Upper and Lower case letters• Contain at least one number or special Contain at least one number or special
charactercharacter• Is not a dictionary word in any languageIs not a dictionary word in any language• Cannot be easily guessedCannot be easily guessed• Changed every 90 daysChanged every 90 days• Don’t tell anyone your passwordDon’t tell anyone your password• Don’t write your password down anywhereDon’t write your password down anywhere
Mnemonics Mnemonics Made Easy Made Easy
““Water, water everywhere and not a Water, water everywhere and not a drop to drink” (Rhyme of the Ancient drop to drink” (Rhyme of the Ancient Mariner) converts to Mariner) converts to Wwe&nadtdWwe&nadtd..
““We Three Kings from Orient Are” We Three Kings from Orient Are” converts to converts to w3KfOr3691w3KfOr3691. .
Strong PasswordsStrong Passwords
http://www.youtube.com/watch?http://www.youtube.com/watch?v=ap6QnMv0fBo&feature=relatedv=ap6QnMv0fBo&feature=related
Security Measures Security Measures
Review accounts frequentlyReview accounts frequently Be suspicious of emails and linksBe suspicious of emails and links Sign up for alerts Sign up for alerts Never register a foreign computerNever register a foreign computer Note the https Note the https Note the banks web addressNote the banks web address Save any shortcuts under a fake Save any shortcuts under a fake
namename
Online Banking Security Online Banking Security
http://www.youtube.com/watch?http://www.youtube.com/watch?v=mWNEoBIxhSsv=mWNEoBIxhSs
Identity Theft Red FlagsIdentity Theft Red Flags
You order new checks or a debit card You order new checks or a debit card and never receive themand never receive them
You see unauthorized activity on You see unauthorized activity on your account or credit reportyour account or credit report
You receive a change of address You receive a change of address notice from your bank notice from your bank
You begin to receive calls for debt You begin to receive calls for debt collectioncollection
Additional Security Measures Additional Security Measures Guard SSN, DOB, Mother’s Maiden NameGuard SSN, DOB, Mother’s Maiden Name Guard your mailboxGuard your mailbox Sign up for electronic statementsSign up for electronic statements Take your receipts (ATM, Debit, Credit)Take your receipts (ATM, Debit, Credit) Order your credit report annually Order your credit report annually
• Equifax, Experian, TransUnionEquifax, Experian, TransUnion• www.annualcreditreport.comwww.annualcreditreport.com
Shred, Shred, ShredShred, Shred, Shred
Identify Theft PreventionIdentify Theft Prevention
http://www.youtube.com/watch?http://www.youtube.com/watch?v=H35DASgwPZc&feature=relatedv=H35DASgwPZc&feature=related
Online Security Online Security
There is an inverse relationship between
convenience (ease-of-use) and security.
As you increase security, you lose
convenience.
Convenience
Security
In order to In order to WINWIN, we need to , we need to be be perfectperfect. For the . For the
malicious party to win, malicious party to win, they need only to they need only to exploit exploit
one mistakeone mistake..
Resources Resources
Identify Theft information – ESB Identify Theft information – ESB • http://www.bankesb-idtheft.com/home.htmhttp://www.bankesb-idtheft.com/home.htm
Fraud Advisory for Businesses: Corporate Account Take Fraud Advisory for Businesses: Corporate Account Take Over (FBI, USSS, IC3, FS-SIAC)Over (FBI, USSS, IC3, FS-SIAC)• http://www.ic3.gov/media/2010/corporateaccounttakeover.pdfhttp://www.ic3.gov/media/2010/corporateaccounttakeover.pdf
Fighting back against Identify Theft (FTC)Fighting back against Identify Theft (FTC)• http://www.ftc.gov/bcp/edu/microsites/idtheft/http://www.ftc.gov/bcp/edu/microsites/idtheft/
FBI Scams and Safety FBI Scams and Safety • http://www.fbi.gov/scams-safety/http://www.fbi.gov/scams-safety/
Better Business Bureau –Data Security made simplerBetter Business Bureau –Data Security made simpler• http://www.bbb.org/data-security/Data-Security-Made-http://www.bbb.org/data-security/Data-Security-Made-
Simpler.pdfSimpler.pdf Onguard Online – Consumer protection (FTC)Onguard Online – Consumer protection (FTC)
• http://onguardonline.gov/http://onguardonline.gov/ Bureau of Consumer Protection – BusinessBureau of Consumer Protection – Business
http://business.ftc.gov/http://business.ftc.gov/