Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
©2015 MasterCard. Proprietary and Confidential
Title of Speech
July 2015
AMPI Regulatory Capacity Building Workshop
Managing Cybersecurity, Data Breach, and Mobile Financial Service Fraud – What do Policymakers need to know?
©2014 MasterCard. Proprietary and Confidential
Digital Shift: Greatest Opportunity since Plastic Card Consumer connectivity is on the rise • 3Bn internet users today1 • 40% of global population Connectivity is changing attitudes and behaviors in how consumers: • Interact, entertain, educate, transact, shop;
and • Exchange value with people, brands, and
merchants This shift is accelerating due to proliferation of connected devices • Exponential growth: from 12Bn devices today
to 50Bn by 20202 • Global mobile data traffic will increase nearly
11-fold between 2013 and 20183 • Adoption of connected devices and ubiquitous
wireless connectivity will accelerate the shift
1. International Telecommunications Union, May 2014 2. Cisco – Connections Counter: The Internet of Everything in Motion; 2013 3. Cisco – Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018
Connected Device Growth
Business Insider Intelligence : Connected Device Growth; 2013
Page 2
©2014 MasterCard. Proprietary and Confidential
What Do Most Criminal Organizations Want To Obtain?
• Primary Account Data
– Mag stripe Track 1 + Track 2 data – PAN, User Name, Expiry date, CVC1
• CVC2
• Personal Identification Number (PIN)
©2014 MasterCard. Proprietary and Confidential
What Can Criminals Do With This Data?
Account Data • Can be used for MOTO (Card Not Present)
purchase – increased use of CVC2 helps mitigate risk
• Can be used to create cards – but printed blanks are required, hence no good for countries who have migrated to Chip
Account Data and PIN • Can create ATM cards to withdraw cash • Chip and PIN ATMs can help mitigate risk
©2015 MasterCard. Proprietary and Confidential
Current Security Landscape
• Cyber crime is growing in diversity and sophistication
• Integrated POS Systems are increasingly targeted – Sensitive data is often unknowingly stored
– Magnetic stripe data is stolen from log files as opposed to traditional databases
– Hackers are targeting centralized servers with Internet connectivity, not just an e-commerce issue
• SQL Injection and application level attacks
• Third-Party-Related Compromises – Network Connectivity
– Insider Access
©2015 MasterCard. Proprietary and Confidential
Where is the Data?
Point of Sale (POS) system
Back of House Server (BOH)
In Transit
©2015 MasterCard. Proprietary and Confidential
Systems Intrusion • SQL Injection
• Malware, sniffers, key loggers
• Web-based attacks
POS and ATM Tampering • Skimmers with Bluetooth devices
• Keypad overlays, small cameras
Employee or vendor actions • Theft, collusion
• Social Engineering
How Data is Compromised
Types of Data Compromises
©2015 MasterCard. Proprietary and Confidential
§ Attacker identifies a problem (i.e. Heartbleed)
§ Has working exploit developed
§ Scans internet for all possible victims
§ Compromises systems, then identifies valuable data – Stored data = low hanging fruit – No stored data = In-transit attacks
§ Repeat until no longer cost effective
Reality – Opportunistic Attacks
©2015 MasterCard. Proprietary and Confidential
§ Attacker profiles target & Identifies employees
§ Sends targeted malware to employees
§ Begins monitoring employee activity
§ Captures login credentials to systems
§ Quiet, careful, cautious
The Reality – Targeted Attacks
©2015 MasterCard. Proprietary and Confidential
The South African Experience
Title of Speech
July 2015 Susan Potgieter, SABRIC
AMPI Regulatory Capacity Building Workshop
Managing Cybersecurity, data breach, and mobile financial service fraud – what do policymakers need to know?
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 11
Data Breaches – Global Threat
A data breach is a security incident in which sensitive, protected or confidential
data is copied, transmitted, viewed, stolen or used by an individual unauthorized to
do so. Data breaches may involve financial information such as credit card or bank details, personal health
information (PHI), Personally identifiable information (PII), trade secrets of
corporations or intellectual property.
https://en.wikipedia.org/wiki/Data_breach
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 12
Time is of the essence!
http://www.statista.com/statistics/221406/time-between-initial-compromise-and-discovery-of-larger-organizations/
Median time period between intrusion,
detection, and containment of industrial cyber attacks worldwide in 2014 (in days)
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 13
Universal Life Cycle of data Breach
http://www.ct.org/category/events-happenings/
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 14
Fraud distribution on SA issued cards (2015)
What information do you need?
Counterfeit fraud – needs the “track data” on the card (sometimes the
PIN),
What information do you need?
CNP fraud – need card number, CVV
and expiry date
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 15
How do SA Banks go about identifying a breach?
Fraud spending patterns lead to a possible point of compromise
(CPP)
Usually Counterfeit Fraud
Spend usually not at ATM related (PIN is not compromised)
Concentrated in a Non EMV Country • Information is used where fall-back is allowed
Targeting a store/ type of store
Some other common factor • Similar MCCs, products purchased
Re-active
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 16
How do SA Banks go about identifying a breach?
Fraud spending patterns lead to a possible point of
compromise
Handheld skimmer
ATM Mounted Skimmer
Eliminate different ways to compromise
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 17
How do SA Banks go about identifying a breach?
If all else is eliminated… then possible data breach
Could be some form of hacking
malware
physical attacks
social tactics (social engineering)
privilege misuse
http://blog.goanywheremft.com/tag/data-breach/
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 18
SA Case Study - Dexter
Injects itself into iexplore.exe Ensures the iexplore.exe process restarts in the event that it is manually stopped Ensures persistence via writes to the ‘Run’ registry key Scrapes track data through a very common method Has a command and control structure with a remote host
Seculert (Israel-based security firm) discovered and named the
Dexter malware in December 2012
Seculert
Dexter
Dexter (malware) is a computer virus which infects computers running Microsoft Windows and could
potentially infect POS systems worldwide
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 19
2012 2013 2014
Dexter timeline
14 months from intrusion to containment (about 420 days)
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 20
Dexter – Working the Data
Increased level of fraudulent transactions
at “Target”
Looked at: “group names”
different time periods, different combinations
Counterfeit Specific
Increased fraud in United States of America (USA) and India
End 2012- beginning 2013
Worked back to possible CPP
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 21
Dexter – Lessons Learned (Data related)
Confirmed card fraud
data
BANKING INDUSTRY
Common Point of Purchase
(CPP) Data
Analyse data
Changes in Fraud Trend
Country
Modus operandi
Merchant category (MCC)
Area
Common Point of Purchase
Merchant Group
Area
Specific Merchant
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 22
Dexter – Lessons Learned (Industry Level)
CRIMINAL INVESTIGATION RISK MITIGATION
Acquiring bank IRC
Incident Response Commi7ee
IRT Incident Response Team
INCIDENT FTT
Forensic Task Team
IF DUAL ACQUIRED
PASA EXO DATA SACFF South African Card Fraud Forum
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 23
Dexter – data challenges
Data Volume
Data Quality
Different business processes, data bases and priorities
Geographical placement of merchants
• Not all data element are reported to SABRIC eg. switches, merchant numbers
• No industry standard on the reporting of merchants and locations
• Large volumes of data from different banks had to be standardised and imported for analysis - confirmed fraud and the positive spent (CPP)
• Roll out of the containment tool was hampered by difficulty in determining of physical merchant locations
• Different banks have different systems, processes
©2015 MasterCard. Proprietary and Confidential
July 2015
Page 24
Dexter – data challenges
Human factor
PCI
POPI Social engineering
Switches
Service providers
Multi disciplinary approach
Transparency
http://www.enterprisecioforum.com/sites/default/files/featured_img/eiq-feeling-vulnerable-7.jpg
Thank you
©2015 MasterCard. Proprietary and Confidential
Josh Knopp, VP/SBL ESS
AMPI Regulatory Capacity Building Workshop
Managing Cybersecurity, Data breach, and Mobile Financial Service Fraud – what do Policymakers need to know?
©2015 MasterCard. Proprietary and Confidential
June 26, 2015
Page 27
Brick and Mortar Breaches
Primary Attack Vector for Brick & Mortar Merchants Based on MasterCard Forensic Examinations of Hacked Entities
2013
Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach
18%
70%
9%
3%
8%
65%
23%
4%
Insecure Firewalls
Insecure Remote Access
Weak Passwords
E-mail phishing
2014
©2015 MasterCard. Proprietary and Confidential
June 26, 2015
Page 28
E-Commerce Breaches
Primary Attach Vector for e-Commerce Merchants Based on MasterCard Forensic Examinations of Hacked Entities
Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach
24%
41%
6%
29%
59% 19%
6%
16% Improper System Configuration
SQL Injection
Cross-Site Scripting
Insufficent Patching
©2015 MasterCard. Proprietary and Confidential
June 26, 2015
Page 29
About the PCI Council
Founded in 2006 - Guiding open standards for payment card security
• Development • Management • Education • Awareness
The PCI Council
©2015 MasterCard. Proprietary and Confidential
June 26, 2015
Page 30
PCI Standards
Manufacturers
PCI PTS Pin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS Payment Applications
PCI Security & Compliance
Merchants & Service Providers
PCI DSS Secure Environments
• Protection of Cardholder Payment Data
Securing Mobile
Leading Security Initiatives for Mobile PCI • Point to Point Encryption (P2PE)
• Over The Air (OTA) Provisioning
MasterCard • Handset Manufacturer Partnerships and Evaluations
• EMV Tokenization
©2015 MasterCard. Proprietary and Confidential
In this future state of commerce, consumer PAN data will only be visible on a physical card and replaced everywhere else by tokens
MasterCard’s vision to secure digital payments anywhere, from any device
In MasterCard
network
On mobile device
Stored online
Page 32
©2015 MasterCard. Proprietary and Confidential
By embedding card payment credentials directly into mobile devices
Tokenization Digitization and
Of a consumer’s payment card credentials
Tokenization is the replacement of a consumer card’s primary
account number (PAN) with an alternative card number
Digitization is the process to deliver “tokenized” card details to mobile devices or servers
for more secure payments
This is done through:
Page 33
Best Practices
©2015 MasterCard. Proprietary and Confidential
Welcome1STORE123Password1passwordHello12312345678training
Welcome2holiday
Happy123By Count
30,46521,36215,3839,4669,4007,0085,2814,1813,0632,987
2,9722,6102,5122,4382,3362,3172,1832,0562,0532,0472,0291,9071,8491,7141,473
123456summer11Welcome01Welcome123Changeme1job12345Welcome4Password2password1Welcome3Welcome22Spring10abcd1234
Password123Summer11
by count
Top 25 Passwords
Source: 2013 Trustwave Global Security Report
Password1passwordWelcome1
123456P@ssw0rd
Passw0rdPassword123
Password2Summer12password1
By Percent
38.7%34.5%16.0%12.6%11.8%10.9%10.9%10.1%10.1%10.1%
9.2%7.6%6.7%6.7%6.7%5.9%5.9%5.9%5.9%5.9%5.9%5.0%5.0%5.0%5.0%
12345678Welcome2Spring2012
Summer2012Password3
Hello123Welcome3
Fall2012Spring12
pa$$w0rdp@ssw0rd p@ssword
p@ssword1Summer11password9
by percentage
Top 25 Passwords
Source: 2013 Trustwave Global Security Report
We can be better at this!
Source: 2014 Trustwave Global Security Report 2014
©2015 MasterCard. Proprietary and Confidential
Do your homework!
ü Firewalls and antivirus software = effective defense
ü Review/replace EOL security devices and apps
ü Maintain patch levels on infrastructure and applications.
ü Protect and defend your “crown jewels” – Your Data!
ü Understand “cloud” risks
ü Incident Management Process is very important
Best Practices & Strategies
©2015 MasterCard. Proprietary and Confidential
Continuous Monitoring ü Do you know what is happening on your network 24x7?
ü Are privileged users monitored?
ü Who/what is coming in/going out of the network?
ü Are ex-employees still active on your network?
ü Monitor in accordance with policies and applicable laws
Best Practices & Strategies
©2015 MasterCard. Proprietary and Confidential
Manage Vendor / Outsourcing Risk
ü Know your vendors and their capabilities.
ü Are they able to support your PCI-DSS compliance efforts?
ü Do they further outsource the work?
ü Accountability cannot be outsourced!
Best Practices & Strategies
©2015 MasterCard. Proprietary and Confidential
Validate Your Internal Controls
ü Regular audit of: – Access controls,
– System configurations
– Device settings
ü Will help identify internal weaknesses, unauthorized changes, threats or detect signs of intrusions
Best Practices & Strategies
©2015 MasterCard. Proprietary and Confidential
Risk Mitigation: A Shared Responsibility
Cardholders Financial Institutions
Merchants Service Providers
MasterCard
Questions ?