Maximising Control and Knowledge to Gain Power in the Battle against Online Fraud

1
Maximising Control and Knowledge to Gain Power in
the Battle against Online Fraud
Kaylene ONeillSenior Manager, Group Security
Financial Crimes FT Securing the Bank 25
October 2007
2
Contents

• The Issue
• Aligning security programs with market
  information, regulatory issues, policies and
  existing technology infrastructure
• Utilising the available types of surveillance of
  customer transactions
• Tracking the perpetrators forensics challenges

3
- Online Crime The Issue

• Move to electronic commerce shifts risk from
  elements within control of the organisation to
  elements outside control of the organisation eg.

The good old days
4
Thats where the money is

• Traditional areas of crime decline in favour of
  similar crime in online form.
• Cheques -gt Bpay and online payments
• Bank robberies -gt Data breaches, customer
  internet banking fraud
• offline confidence tricksters -gt online (Nigerian
  scams, phishing etc.)
• Increasing sophistication of attack vectors
• Spearphishing
• Zero day attacks
• Range of channels - USB devices (future- PDAs and
  Smartphones)
• Botnets/DDOS
• External Connectivity

5
Aligning Your Security Program Internal

• Security
• Patch cycles (beyond Microsoft) need to risk
  assess and prioritise
• Penetration Tests
• Plan for DDOS
• Consider risk of Data Breaches (internet, tape,
  wireless, USB)
• Restricting Access
• What can connect and run on the network (eg. USB
  devices)
• Who can connect to the network (VPN, 2FA for
  access)
• Educate your staff
• Spearphishing, eCards
• Customer related risks/scams
• Effective use of 2FA

6
Aligning Your Security Program External

• Reliance on Customer/3rd Parties
• Technology skills
• Security awareness
• Willingness to employ security practices

7
Aligning Your Security Program External -
Customers

• Develop Security Program assuming customer
  compromise
• Multifactor Authentication
• Educate and engage customers, including providing
  tools
• Holistic approach to customer communication
  (easier said than done)
• Up to date customer contact information
• TC notification and storage
• Blocking and Notification of breaches
• Information Sharing with peers
• Make sure you can swim faster than other fish in
  the phishpond

8
Aligning Your Security Program External 3rd
Parties

• Increasingly seeing data breaches at external
  parties impacting our customers.
• In particular, where there is no direct
  relationship (eg. TJX in US)
• More regulation likely
• 3rd Parties
• Outsourcing contracts with 3rd parties. Ensure
  effective security and governance - APS 231
• Secure communication channels
• Merchants
• PCI compliance
• Who notifies customer in case of data breach,
  particularly where no direct relationship

9
External Challenges

• How do we communicate with our customers via
  insecure channel?
• Regulatory/legal environment lag need for
  industry input
• Identity crime
• Domain name registrars
• Jurisdictional and cross border challenges in
  investigation
• Regulation of global payment channels AML
• Access to Data Verification Services Govt.

10
Utilising Customer Surveillance

• Value and Non Value Transactions to feed rules
• What information do you store?
• Look at overall customer profile (identity fraud
  may impact multiple channels)
• IP Monitoring although this is declining in
  usefulness
• Implement strong risk-based tiered authentication
  
• Consider alerts eg. SMS- give customer ability to
  monitor
• Delayed payments and blocking
• Sharing intelligence with other banks
• What about third party transactions eg. eBay?
  Direct Debits?
• Consider displacement
• And.when do you block accounts?

11
Tracking the Perpetrators Forensics

• Assess the likely outcome of the investigation
  upfront.
• If it has the potential to end up in court, the
  evidence must be collected and held in a
  forensically sound manner (including maintaining
  a documented chain of evidence) such that it is
  suitable for presentation in court. Consider use
  of expert assistance.
• In particular, IT staff need to be trained to
  consider forensics when investigating system
  problems that could be related to DDOS, hacking
  or internal compromise

12
Tracking the Perpetrators Challenges

• IP Addresses increasing use of proxies
  (including anonymous)
• What information do you store in your audit logs?
  
• View access transactions
• Address/Caller ID?
• DDOS can logs cope with volume of transactions?
• Storm fights back
• Ensure effective liaison processes
• other FIs
• Police (AHTCC)

13
Summary

• Online crime is a business issue. If there is a
  weak point in the process, it will be exploited
• Ensure IT, Business and Risk work together to
  identify risks and design effective end-to-end
  control environment

14
Questions??