With the new interconnected age comes new risks for cyber attacks and other fraudulent activity. Do you know what you need to keep your end users protected? Digital Insight discusses security and compliance in the interconnected age.
3. Introduction
Alan Akahoshi is a lead security product
manager at Digital Insight. With 22 years of
network communication, applications and
security experience, Alan has safeguarded
systems for the nation’s leading technology
companies. His previous roles include
program manager for Microsoft's hosted
services group, and product manager for
Symantec's consumer business unit.
4. Agenda
• The Internet of Everything (IoE)
– Ecosystem
• FFIEC Guidelines for your customer digital channel
– Coverage
• A security model for protecting your Customer
– Closing the gap
5. Have you ever received an email from
your refrigerator or television set?
a. Yes
b. No
c. Is that possible?!
Poll Question 1 : Current Events
6. >750K malicious emails sent by botnet.
It’s enough to give you chills.
“In this case, hackers
broke into more than
100,000 everyday
consumer gadgets, such as
home-networking routers,
connected multi-media
centers, televisions, and at
least one refrigerator,
Proofpoint says. They then
used those objects to send
more than 750,000
malicious emails to
enterprises and individuals
worldwide.”
8. IoE = User x (Devices x Networks x Services)
The connected state or the “Internet of Everything”
Networks
(Places)
Services
(Transactions/Interactions)
Devices
Data Data
Data
DataData
Data
10. Cyber Security is the biggest concern
Source: http://www.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2?op=1
11. • “Six degrees or less,” you are connected to a
vulnerable element in the IoE ecosystem.
For Financial Institutions, Security must extend beyond
your purview.
youyou
OLB OLB
Gotcha!
12. • The Heartbleed bug is a vulnerability in the OpenSSL
cryptographic software library that existed since 2012 and was
not uncovered until early this year.
And the effects may be devastating
Reputation takes years to build,
and only moments to lose.
In IoE, controlling borders and
layering security isn’t enough.
You need to dramatically change
your security strategy.
14. • Federal rules and regulations
– Federal Reserve Board
• Regulation E (Electronic Fund Transfers, 12
CFR 205)
– Uniform Commercial Code
• Article 4A, Funds Transfer (2012)
– Dodd-Frank Wall Street Reform and
Consumer Protection Act
• The FFIEC prescribes recommendations
for federal examinations of financial
institutions .
– E-Banking
– Information Security
– Supplement in 2011
In a highly regulated industry, how do you
respond to IoE?
15. • 2001: Electronic Banking
• 2005, 2011: Internet Banking
• What does it protect?
– Customer data (privacy)
– Fund movement (anti-fraud)
• How does it protect?
– Periodic risk assessments
– Multi-factor authentication
– Layered security controls
• Access controls (limits)
• Monitoring
– Customer awareness
FFIEC Internet Banking Guidelines (2011)
17. Financial Institution Best Practices
How do you provide an effective and secure digital banking experience?
18. Please select the best statement
that applies to your institution:
a. The security of my solution is
most important.
b. The security of my solution is
important, but it should minimally
impact my customer user
experience.
c. My customer user experience is
most important.
Poll Question 2 : Security vs. Ease of Use
19. • Includes Prevention
• Includes Monitoring
• Includes Remediation
• Is multi-faceted, multi-layered
to provide maximum protection
– a system of redundancy
An effective security program framework
Prevention
MonitoringRemediation
20. • In order to secure the online
and mobile banking ecosystem,
you need to consider the multiple
layers and what it is you are
protecting.
• Adopt solutions using the
“lenses” of your security program
– Prevention, monitoring
and remediation
User
protection
•User credentials
•User devices
•User applications
•User assets ($)
•Malware detection/removal
Network
protection
•Network providers
(public, private, mobile)
•Data exchange (privacy
encryption)
Service
protection
•Online banking applications
•Mobile banking applications
•Data handling and storage
(privacy)
•Service availability
Business
protection
•Employees
•Business assets ($)
•Data governance
Protection layers in order to manage risk
21. • Identity Verification (Account
Origination)
– Required by Section 326 of the USA Patriot
Act (FFIEC 2005)
– Reduce the risk of
• Identity theft
• Fraudulent account applications (international
money laundering and terrorist financing)
• Unenforceable account agreements or
transactions
• User Verification (Authentication,
Authorization and Access Control)
– Layered “what you can see” & “what you can
do”
– Reduce the risk of
• Unauthorized account access (privacy;
protecting data)
• Account takeover
• Fraudulent activity
Prove you are who you say you are
P
MR
User
Network
Service
Business
22. • User verification methods
– Something the user knows
• “Shared secret”, password, PIN
– Something the user has
• ATM card, smart card, scratch card
• Mobile device, FOB token, USB token
– Something the user is
• Biometric hardware (fingerprint, face,
voice, retinal/iris, etc.)
– Other factors that complement
authentication
• User device identification
• User location / network
• User internet protocol address
Authentication, Authorization and Access Control
P
MR
User
Network
Service
Business
23. • Layered Security Controls
– Measure the level of risk and match protection
methods
• Consumer Banking
– Accessing banking account information
– Accessing personal account information
– Money movement activity
• Bill payment
• Intrabank funds transfers
• Interbank funds/wire transfers
• Business Banking
– Frequent and higher $$$ amounts money
movement activity
• ACH file origination
• Frequent interbank wire transfers
Not all online activity or actions are equal
P
MR
User
Network
Service
Business
25. What is your greatest mobile security concern? (Select one)
a. Application security
b. Device data leakage
c. Device loss or theft
d. Malware attack
Poll Question 3 : Mobile Risk
26. • Mobile devices, networks it connects to,
services it accesses, and data shared…
– 63% of smartphone users access
their bank or credit union institution
– 61% of smartphone owners who
don’t use mobile banking cite
“security” issues
• Mobile Apps vs Mobile Web
• Secure communication channel
(data privacy)
• Complex device identification,
geo-location and reputation
– Assurance to tie this to a user
– Monitoring
Mobile is personal, an extension of You
P
MR
User
Network
Service
Business
Source: Deloitte, May 2014, Mobile Financial Services: Raising The Bar on Customer Engagement
27. • It’s never a question of ‘if’ I get hacked,
but ‘when’ I get hacked…
– Hackers are continuously finding and
exploiting the weakest link
• Effective monitoring is key to
detecting fraud and preventing attacks
• Complex analytics of user, device and system
data, and behavioral modeling provide
intelligent detection
• Mitigation processes
Hackers hack and they will continue to hack
P
MR
User
Network
Service
Business
28. How do you provide customers/members
with tools and tips to safeguard their
online and/or mobile banking experience?
(select all that apply)
a. Online Banking Application
b. Mobile Banking Application
c. Email
d. Text/SMS
e. In-Branch
f. Other
g. We do not provide any tools or tips
Poll Question 4 : Education Programs
29. • Customer Awareness & Education
– DOs and DON’Ts
– Alerts and Notifications
• Attacks, risks etc.
• Internal Training
Secure people, not just the technology
P
MR
1. Be vigilant.
2. Protect your devices.
3. Protect your passwords.
• Create password groups.
4. Do not share your passwords.
5. Use trusted applications from
known and trusted sources.
6. Access trusted websites.
7. Be careful of email content,
even if it’s from a known
person.
* Feb 1st – National Change Your Password Day
User
Network
System
Business
30. What you can do . . .
Effective security strategy – elements for
prevention, monitoring and remediation
Multi-factor authentication
Layered security controls
Transaction monitoring
Marketing programs for customer
awareness and education
Annual risk assessment
Security and Compliance Checklist
User
Service
Business
Network