Managing Cybersecurity, Data Breach, and Policymakers need to … · 2017-10-06 · • Global mobile data traffic will increase nearly 11-fold between 2013 and 20183 ... Managing

©2015 MasterCard. Proprietary and Confidential

Title of Speech

July 2015

AMPI Regulatory Capacity Building Workshop

Managing Cybersecurity, Data Breach, and Mobile Financial Service Fraud – What do Policymakers need to know?


Digital Shift: Greatest Opportunity since Plastic Card Consumer connectivity is on the rise •  3Bn internet users today1 •  40% of global population Connectivity is changing attitudes and behaviors in how consumers: •  Interact, entertain, educate, transact, shop;

and •  Exchange value with people, brands, and

merchants This shift is accelerating due to proliferation of connected devices •  Exponential growth: from 12Bn devices today

to 50Bn by 20202 •  Global mobile data traffic will increase nearly

11-fold between 2013 and 20183 •  Adoption of connected devices and ubiquitous

wireless connectivity will accelerate the shift

1.  International Telecommunications Union, May 2014 2.  Cisco – Connections Counter: The Internet of Everything in Motion; 2013 3.  Cisco – Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018

Connected Device Growth

Business Insider Intelligence : Connected Device Growth; 2013

Page 2


What Do Most Criminal Organizations Want To Obtain?

• Primary Account Data

–  Mag stripe Track 1 + Track 2 data –  PAN, User Name, Expiry date, CVC1

• CVC2

• Personal Identification Number (PIN)


What Can Criminals Do With This Data?

Account Data •  Can be used for MOTO (Card Not Present)

purchase – increased use of CVC2 helps mitigate risk

•  Can be used to create cards – but printed blanks are required, hence no good for countries who have migrated to Chip

Account Data and PIN •  Can create ATM cards to withdraw cash •  Chip and PIN ATMs can help mitigate risk


Current Security Landscape

•  Cyber crime is growing in diversity and sophistication

•  Integrated POS Systems are increasingly targeted –  Sensitive data is often unknowingly stored

–  Magnetic stripe data is stolen from log files as opposed to traditional databases

–  Hackers are targeting centralized servers with Internet connectivity, not just an e-commerce issue

•  SQL Injection and application level attacks

•  Third-Party-Related Compromises –  Network Connectivity

–  Insider Access


Where is the Data?

Point of Sale (POS) system

Back of House Server (BOH)

In Transit


Systems Intrusion •  SQL Injection

•  Malware, sniffers, key loggers

•  Web-based attacks

POS and ATM Tampering •  Skimmers with Bluetooth devices

•  Keypad overlays, small cameras

Employee or vendor actions •  Theft, collusion

•  Social Engineering

How Data is Compromised

Types of Data Compromises


§  Attacker identifies a problem (i.e. Heartbleed)

§ Has working exploit developed

§ Scans internet for all possible victims

§ Compromises systems, then identifies valuable data –  Stored data = low hanging fruit –  No stored data = In-transit attacks

§ Repeat until no longer cost effective

Reality – Opportunistic Attacks


§ Attacker profiles target & Identifies employees

§ Sends targeted malware to employees

§ Begins monitoring employee activity

§ Captures login credentials to systems

§ Quiet, careful, cautious

The Reality – Targeted Attacks


The South African Experience

Title of Speech

July 2015 Susan Potgieter, SABRIC


Managing Cybersecurity, data breach, and mobile financial service fraud – what do policymakers need to know?


July 2015

Page 11

Data Breaches – Global Threat

A data breach is a security incident in which sensitive, protected or confidential

data is copied, transmitted, viewed, stolen or used by an individual unauthorized to

do so. Data breaches may involve financial information such as credit card or bank details, personal health

information (PHI), Personally identifiable information (PII), trade secrets of

corporations or intellectual property.

https://en.wikipedia.org/wiki/Data_breach


July 2015

Page 12

Time is of the essence!

http://www.statista.com/statistics/221406/time-between-initial-compromise-and-discovery-of-larger-organizations/

Median time period between intrusion,

detection, and containment of industrial cyber attacks worldwide in 2014 (in days)


July 2015

Page 13

Universal Life Cycle of data Breach

http://www.ct.org/category/events-happenings/


July 2015

Page 14

Fraud distribution on SA issued cards (2015)

What information do you need?

Counterfeit fraud – needs the “track data” on the card (sometimes the

PIN),

What information do you need?

CNP fraud – need card number, CVV

and expiry date


July 2015

Page 15

How do SA Banks go about identifying a breach?

Fraud spending patterns lead to a possible point of compromise

(CPP)

Usually Counterfeit Fraud

Spend usually not at ATM related (PIN is not compromised)

Concentrated in a Non EMV Country •  Information is used where fall-back is allowed

Targeting a store/ type of store

Some other common factor •  Similar MCCs, products purchased

Re-active


July 2015

Page 16


Fraud spending patterns lead to a possible point of

compromise

Handheld skimmer

ATM Mounted Skimmer

Eliminate different ways to compromise


July 2015

Page 17


If all else is eliminated… then possible data breach

Could be some form of hacking

malware

physical attacks

social tactics (social engineering)

privilege misuse

http://blog.goanywheremft.com/tag/data-breach/


July 2015

Page 18

SA Case Study - Dexter

Injects itself into iexplore.exe Ensures the iexplore.exe process restarts in the event that it is manually stopped Ensures persistence via writes to the ‘Run’ registry key Scrapes track data through a very common method Has a command and control structure with a remote host

Seculert (Israel-based security firm) discovered and named the

Dexter malware in December 2012

Seculert

Dexter

Dexter (malware) is a computer virus which infects computers running Microsoft Windows and could

potentially infect POS systems worldwide


July 2015

Page 19

2012 2013 2014

Dexter timeline

14 months from intrusion to containment (about 420 days)


July 2015

Page 20

Dexter – Working the Data

Increased level of fraudulent transactions

at “Target”

Looked at: “group names”

different time periods, different combinations

Counterfeit Specific

Increased fraud in United States of America (USA) and India

End 2012- beginning 2013

Worked back to possible CPP


July 2015

Page 21

Dexter – Lessons Learned (Data related)

Confirmed card fraud

data

BANKING INDUSTRY

Common Point of Purchase

(CPP) Data

Analyse data

Changes in Fraud Trend

Country

Modus operandi

Merchant category (MCC)

Area

Common Point of Purchase

Merchant Group

Area

Specific Merchant


July 2015

Page 22

Dexter – Lessons Learned (Industry Level)

CRIMINAL INVESTIGATION RISK MITIGATION

Acquiring bank IRC

Incident Response Commi7ee

IRT Incident Response Team

INCIDENT FTT

Forensic Task Team

IF DUAL ACQUIRED

PASA EXO DATA SACFF South African Card Fraud Forum


July 2015

Page 23

Dexter – data challenges

Data Volume

Data Quality

Different business processes, data bases and priorities

Geographical placement of merchants

•  Not all data element are reported to SABRIC eg. switches, merchant numbers

•  No industry standard on the reporting of merchants and locations

•  Large volumes of data from different banks had to be standardised and imported for analysis - confirmed fraud and the positive spent (CPP)

•  Roll out of the containment tool was hampered by difficulty in determining of physical merchant locations

•  Different banks have different systems, processes


July 2015

Page 24

Dexter – data challenges

Human factor

PCI

POPI Social engineering

Switches

Service providers

Multi disciplinary approach

Transparency

http://www.enterprisecioforum.com/sites/default/files/featured_img/eiq-feeling-vulnerable-7.jpg

Thank you


Josh Knopp, VP/SBL ESS


Managing Cybersecurity, Data breach, and Mobile Financial Service Fraud – what do Policymakers need to know?


June 26, 2015

Page 27

Brick and Mortar Breaches

Primary Attack Vector for Brick & Mortar Merchants Based on MasterCard Forensic Examinations of Hacked Entities

2013

Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach

18%

70%

9%

3%

8%

65%

23%

4%

Insecure Firewalls

Insecure Remote Access

Weak Passwords

E-mail phishing

2014


June 26, 2015

Page 28

E-Commerce Breaches

Primary Attach Vector for e-Commerce Merchants Based on MasterCard Forensic Examinations of Hacked Entities

Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach

24%

41%

6%

29%

59% 19%

6%

16% Improper System Configuration

SQL Injection

Cross-Site Scripting

Insufficent Patching


June 26, 2015

Page 29

About the PCI Council

Founded in 2006 - Guiding open standards for payment card security

• Development • Management • Education • Awareness

The PCI Council


June 26, 2015

Page 30

PCI Standards

Manufacturers

PCI PTS Pin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS Payment Applications

PCI Security & Compliance

Merchants & Service Providers

PCI DSS Secure Environments

•  Protection of Cardholder Payment Data

Securing Mobile

Leading Security Initiatives for Mobile PCI •  Point to Point Encryption (P2PE)

•  Over The Air (OTA) Provisioning

MasterCard •  Handset Manufacturer Partnerships and Evaluations

•  EMV Tokenization


In this future state of commerce, consumer PAN data will only be visible on a physical card and replaced everywhere else by tokens

MasterCard’s vision to secure digital payments anywhere, from any device

In MasterCard

network

On mobile device

Stored online

Page 32


By embedding card payment credentials directly into mobile devices

Tokenization Digitization and

Of a consumer’s payment card credentials

Tokenization is the replacement of a consumer card’s primary

account number (PAN) with an alternative card number

Digitization is the process to deliver “tokenized” card details to mobile devices or servers

for more secure payments

This is done through:

Page 33

Best Practices


Welcome1STORE123Password1passwordHello12312345678training

Welcome2holiday

Happy123By Count

30,46521,36215,3839,4669,4007,0085,2814,1813,0632,987

2,9722,6102,5122,4382,3362,3172,1832,0562,0532,0472,0291,9071,8491,7141,473

123456summer11Welcome01Welcome123Changeme1job12345Welcome4Password2password1Welcome3Welcome22Spring10abcd1234

Password123Summer11

by count

Top 25 Passwords

Source: 2013 Trustwave Global Security Report

Password1passwordWelcome1

123456P@ssw0rd

Passw0rdPassword123

Password2Summer12password1

By Percent

38.7%34.5%16.0%12.6%11.8%10.9%10.9%10.1%10.1%10.1%

9.2%7.6%6.7%6.7%6.7%5.9%5.9%5.9%5.9%5.9%5.9%5.0%5.0%5.0%5.0%

12345678Welcome2Spring2012

Summer2012Password3

Hello123Welcome3

Fall2012Spring12

pa$$w0rdp@ssw0rd p@ssword

p@ssword1Summer11password9

by percentage

Top 25 Passwords

Source: 2013 Trustwave Global Security Report

We can be better at this!

Source: 2014 Trustwave Global Security Report 2014


Do your homework!

ü Firewalls and antivirus software = effective defense

ü Review/replace EOL security devices and apps

ü Maintain patch levels on infrastructure and applications.

ü Protect and defend your “crown jewels” – Your Data!

ü Understand “cloud” risks

ü Incident Management Process is very important

Best Practices & Strategies


Continuous Monitoring ü Do you know what is happening on your network 24x7?

ü Are privileged users monitored?

ü Who/what is coming in/going out of the network?

ü Are ex-employees still active on your network?

ü Monitor in accordance with policies and applicable laws



Manage Vendor / Outsourcing Risk

ü Know your vendors and their capabilities.

ü Are they able to support your PCI-DSS compliance efforts?

ü Do they further outsource the work?

ü Accountability cannot be outsourced!



Validate Your Internal Controls

ü Regular audit of: –  Access controls,

–  System configurations

–  Device settings

ü Will help identify internal weaknesses, unauthorized changes, threats or detect signs of intrusions



Risk Mitigation: A Shared Responsibility

Cardholders Financial Institutions

Merchants Service Providers

MasterCard

Questions ?

Documents

Managing Cybersecurity, Data Breach, and Policymakers need to … · 2017-10-06 · • Global mobile data traffic will increase nearly 11-fold between 2013 and 20183 ... Managing