Fred Laing, IIUMACHA

2009 Treasury ManagementConference

epcore and Nebraska AFP

Why is data security so important? How does this impact the ACH

Network? What do the ACH Rules say? Where do ACH transactions go anyway? What are the vulnerabilities? What can we do about them?

In 2008, 9.9 million people were victims of identity theft, up 22% over 2007 Congressional Research Service - May 2009

53 million people (including consumers, employees, students and patients have had data exposed about themselves in a 13 month period Information Week -2006

There were 158 data breaches recorded in 2005, 312 in 2006, and 446 in 2007 Information Week - Jan. 2008

24% of consumers report shopping less online Visa -2006 44 States have enacted some sort of Data Breach Law ABA - 2009 Fraud is now the top reason given for charge backs on several

networks Am. Banker -2006 A hacker was indicted for stealing 130 million credit card numbers

Information Week - August 2009 43.4% of U.S. adults have received a phishing e-mail and almost

5% of those attacks are successful First Data Report – 2006 The FBI’s Internet Fraud Crime Report recorded 207,492 complaint

submissions in 2006

Failures Of Business to Protect Consumers:◦ Network Solutions had a group of hackers break into their Web Servers and

steal 573,000debit and credit card numbers in July of 2009.◦ Suncoast Schools Federal Credit Union is reissuing 56,000 debit cards after

the just recently determined that the Heartland breach had affected them.◦ University of North Dakota had a computer stolen in Charleston (last year!)

with the personal records of over 84,000 donors. This was reported in June, 2009. ◦ Aetna had a breach resulting from a Spam campaign that included the loss of

65,000 Social Security numbers. They are being sued! (class action) – May, 2009.◦ Virginia Department of Health along with the FBI and the Virginia State Police

are searching for hackers who demanded a $10 Million ransom for return of medical prescription records (many including SS#’s) on 530,000 individuals – May 2009

◦ Checkfree had 160,000 consumer bill payment accounts exposed out of 5 million – they don’t know which ones! – Jan. 2009

◦ And don’t forget: Ameritrade - 200,000 personal records LexisNexis - 310,000 potential victims Bank of America - missing over a million records ChoicePoint, DSW, HSBC, TJX, Hannaford, Certegy………………………….

TJX – 45.7 Million C.C. records, costs are in the 100’s of millions

ChoicePoint – $15 Million in losses Hannaford Bros. – 4.2 Million records stolen, 1,800 cases of

Fraud reported Certegy – 8.5 Million records compromised – internally

generated Heartland – over 200 financial institutions affected, well

over 1 million consumers Only three financial institution breaches so far this year

(not counting Heartland) – there were twelve last year (privacyrights.org)

Business◦ Employee dishonesty◦ Poor controls (access, dual controls, storage)◦ Faulty or old hardware and/or software◦ Inappropriate internal security◦ Poor, or no encryption◦ Whaling, spear-phishing ◦ Bad or no security policies

Consumer◦ Phishing, pharming, etc.◦ Family dishonesty◦ Inappropriate downloads ◦ No or old virus software, anti-spyware, firewalls, etc.

6

Source: Antiphishing.org

PCI-DSS for cards ACH Rules include some requirements for

ACH Wire is through Federal Reserve Circulars Paper???????

◦ Image/RDC – Depends on the network or vendor

8

SettlementNetwork

Processor

Acquirer

IssuerBusinessOrganization

MerchantCardholder

AuthorizationPosting

Dollars

9

Developed from the VISA Digital Dozen:1. Install and maintain a firewall configuration to

protect cardholder data2. Do NOT use vendor-supplied defaults for system

passwords and other security parameters3. Protect stored cardholder data4. Encrypt transmission of cardholder data across

open, public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and

applications

10

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access to data

9. Restrict physical assess to cardholder data10. Track and monitor all access to network

resources and cardholder data11. Regularly test security systems and

processes12. Maintain a policy that addresses information

security

11

Most fraud is in the payments area (check, C.C. debit card, etc.)

ACH is the fastest growing payment network All that’s needed is an ENTRY point TEL in 2003

◦ Return rates in the 50% range◦ Unauthorized rates close to 15%

We need to keep it that way

14

Receiver

UCC 4A requirement – Commercially Reasonable Security Procedures between the ODFI and originator

Operator security requirements (encryption and access)

Limited access – YOU HAVE TO HAVE A FINANCIAL INSTITUTION THAT AGREES TO ORIGINATE FOR YOU!!!

15

In “standard” ACH products very limited◦ Access to the network s/b difficult if ODFI/Co. is managing their risk

appropriately (KNOW YOUR CUSTOMER!!)

Electronic Check Products◦ ARC – Limited loss potential (why would someone else pay my bill?)◦ RCK – Item has already been returned, but only for NSF or uncollected

funds – limited liability◦ POP – Significant potential for loss

For spontaneous purchases at the point of sale Check given back to the consumer Signature required on a separate authorization Fraudster has the evidence NO reasonable fraud management processes in place to date

◦ BOC – Mix of ARC and POP from a vulnerability standpoint

WEB – ◦ Fraudulent merchants◦ Consumers using fraudulent payment data◦ Poor authentication procedures

TEL – ◦ Fraudulent merchants◦ Consumers using fraudulent payment data◦ Incomplete verification processes

Section 1.6 – Transmission of ACH Information Via Unsecured Electronic Networks◦ 128-bit RC4 encryption for all ACH data that is transmitted

or exchanged between any and all parties

Section 2.11.2.5 – WEB Annual Audit◦ Physical Security◦ Personnel and Access Controls◦ Network Security

Physical◦ Who has access to the terminals used to support your on-line

banking?◦ How do they “get” into the space to access their terminal?◦ What policies and procedures are in place to ensure your space is

secure?◦ Where is your data stored and how secure is that space?◦ If information is printed, where is that stored, when is it destroyed?◦ Do you have Uninterruptible Power Supplies installed?◦ Consider closed circuit TV’s or other monitoring devices

Network◦ Virus software◦ Firewalls◦ Disable all unused ports◦ Automatic log-outs after a certain amount of inactivity◦ Change all vendor supplied passwords (administrator, password, etc.)◦ Encrypt all data when moved and when stored◦ Use a VPN whenever possible◦ Install updates as soon as they are published

Personnel and Access Controls◦ Password Controls

Changed on a regular basis Of a specified length and character type Specify HOW they are kept secure

◦ Key fob’s (the ARE responsible for their FOB!)◦ Biometric devices◦ Personnel screening when hiring is done◦ Dual control on all processes that require handling of

sensitive information◦ Establish a security policy and have each employee

read and sign that they have read it◦ Have an employee awareness training program (they

need to know you care…..and that you are watching

ACH Network Data Security Self Assessment Workbook◦ Began with a review of the VISA digital dozen◦ Key sections in the workbook

Computing your Information Risk Profile (questionnaire based – borrowed from PCI)

Controls for high to medium risk originators Controls for low risk originators Case studies and checklists

TIC looked at where we have security built in and where we do not

Project looked at ACH transactions end-to-end◦ Receivers information at authorization ◦ Movement of data from ODFI to ACH operator to

RDFI for posting◦ Third party involvement◦ Data at rest (during storage and then destruction)

HOW is the information moved? How is it stored at each point?

◦ How long does each point retain the information? What data is moved? What data is stored? Where is that data, and in how many forms

or formats? How is that data finally destroyed?

Verification of who you’re doing business with – makes fraud or a breach much less likely…..so how do you authenticate?

Face-to-face:◦ Drivers License, passport, Gov’t ID card, biometric

Virtual:◦ User ID, Password, token, Digital Certificate

Source: BetterBuyDesign, 2001

A number of authentication methods were tested in the recent past, but per-installed user costs have proved too daunting for most

Biometrics

Smartcard/Secure PinPad/

Certs

Mag-stripe/Secure PINPad/

Certs

Mag-stripe/Secure PINPad

PKI in SoftwareCerts

CD/ROM

PKI in Software/Password

PKI in Software/Password +

Password Access/ATM Register

RSA SecurID/Pswd/PIN

Low Level of Security High

$75

InstallCost/User

$0

Smartcard/Secure PINpad

PKI

2001-2002Zone ofAcceptance

EncryptedHash TxnID

Biometrics

Smartcard/Secure PinPad/

Certs

Mag-stripe/Secure PINPad/

Certs

Mag-stripe/Secure PINPad

PKI in SoftwareCerts

CD/ROM

PKI in Software/Password

3-D-Secure

Password Access/

RSA SecurID/Pswd/PIN

Low Level of Security High

$45

InstallCost/User

$0

Smartcard/Secure PINpad

PKI

2005Zone ofAcceptance

Source: BetterBuyDesign, 2001

Yet there were no real changes in the mix—just a proliferation of “would-be” alternatives that have yet to achieve any real traction

EncryptedHash TxnID

Machine andDevice IDs

Host-suppliedencryption

Information Fraud: Sensitive Information Movement

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WW Partners

Remote Employees

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer Portal

Security is a TOTAL System, Process, and Procedure Issue!!

28

Information Fraud: Specific Risks

NetworkNetwork

Media TheftMedia TheftDevice TheftDevice Theft

TakeoverTakeover

FraudFraud

InterceptIntercept

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer portal

Media LossMedia Loss

UnauthorizedAccess

UnauthorizedAccess

DOSDOS

CorruptionCorruption

UnavailabilityUnavailability

EavesdroppingEavesdropping

Data TheftData Theft

Remote Employees

WW Partners

Data LossData Loss

Device LossDevice Loss

Unintentional Distribution

Unintentional Distribution

UnauthorizedAccess

UnauthorizedAccess

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

29

For every step taken to secure data the hacking community will find a vulnerability

Our job; keep one step ahead! Know your customer, and your customers

customer’s (KYC) Have good technical resources available Strong policies and procedures internally Employee training, and more training!!

Fred Laing, IIUMACHA7100 Northland Circle, Suite 407Brooklyn Park, MN 55428(763) 549-7000Fredl@umacha.org