Cyber Threats to Retail Financial Services and Payments
Ruth Wandhöfer
Global Head of Regulatory and Market Strategy
Chair European Payments Council Payment Security Group
May 2015
Citi Treasury and Trade Solutions | Global Regulatory and Market Strategy
Increase in Digital Banking Enhances Need for Cyber Security
As business interactions move online, cyber threats are becoming more sophisticated and dangerous.
Tremendous Growth of Online Interactions with each Click or Tap Leaving a Trail of Data
Cyber Threat and Fraud are on the Rise with Significant Impacts on Business and the Economy
$200+ BillionEstimated amount stolen from banks, financial institutions, companies and individuals, double the amount in 2010.2
Source: World Economic Forum, SWIFT.1. McKinsey report: “Risk and responsibility in a hyperconnected world: Implications for enterprises”; January 2014.2. The Guardian Report: “Online fraud costs global economy many times more than $100 billion”; October 2013.
Global Devices Connected to the Internet
Global Digital Data (In Exabytes)
4xIn10 yrs
$3 TrillionEstimated cyber attack fallout cost to global economy by 2020.1
44xIn10 yrs
5B 15B
50B
0204060
2009 2015 2020
(B)
0
20,000
40,000
2010 2012 2014 2016 2018 2020
2
The Changing Information Security Threat LandscapeThe cyber threat landscape continues to evolve as better organized and more sophisticated attackers have emerged.
Evolving Threats—An Illustration of the Information Security Challenge
Individual players Opportunistic and casual Driven by desire to ‘prove they can’
Typically still individual players Premeditated and planned actions Driven by desire for financial gain
Organized crime and Nation States Highly organized and well funded Driven by the opportunity for financial or geopolitical gain Destructive adversaries with aim of disrupting economy
Incr
easi
ngS
ophi
stic
atio
n
Past Present
Non real-time theft of passwords and confidential information Real time compromises of customer computers and communication channelsSpeed of Attack
Typically targets of opportunity Frequently specifically chosen high value targets Target of Attack
Very variable—hard to monetize without exposing the malicious actor Readily monetized in a sophisticated, secure, and anonymousunderground economy Value of Information
Workforce primarily based in same geography as business and on payroll Workforce increasingly cross border and outsourcedComplexity of Business Model
Moderately sophisticated adversaries seeking to exploit well known vulnerabilities Highly sophisticated supply chain to create or detect vulnerabilities and exploit tools, then sold to “worker bees”Sophistication of Techniques
Custom tools created by knowledgeable individuals to perform a specific attack Malicious tools are commodity items readily available on the black marketAvailability of Tools
3
The Changing Information Security Threat LandscapeThe cyber threat landscape continues to evolve as better organized and more sophisticated attackers have emerged.
Evolving Threats—An Illustration of the Information Security Challenge
Individual players Opportunistic and casual Driven by desire to ‘prove they can’
Typically still individual players Premeditated and planned actions Driven by desire for financial gain
Organized crime and Nation States Highly organized and well funded Driven by the opportunity for financial or geopolitical gain Destructive adversaries with aim of disrupting economy
Incr
easi
ngS
ophi
stic
atio
n
Past Present
Non real-time theft of passwords and confidential information Real time compromises of customer computers and communication channelsSpeed of Attack
Typically targets of opportunity Frequently specifically chosen high value targets Target of Attack
Very variable—hard to monetize without exposing the malicious actor Readily monetized in a sophisticated, secure, and anonymousunderground economy Value of Information
Workforce primarily based in same geography as business and on payroll Workforce increasingly cross border and outsourcedComplexity of Business Model
Moderately sophisticated adversaries seeking to exploit well known vulnerabilities Highly sophisticated supply chain to create or detect vulnerabilities and exploit tools, then sold to “worker bees”Sophistication of Techniques
Custom tools created by knowledgeable individuals to perform a specific attack Malicious tools are commodity items readily available on the black marketAvailability of Tools
3
Nature and Frequency of Cyber AttacksAttack Sophistication vs. Intruder Technical Knowledge The amount of knowledge
required to launch very sophisticated attacks is decreasing over time making these threats more severe each day
Recent attacks show increased knowledge and understanding of the technology, infrastructure and systems of their victims
Bad Actors are going after customers, suppliers, and third-parties in addition to direct attacks
Intelligence, external and internal as well as shared knowledge across the industry and governments will be the most effective counter strategies
High
Low
1980 1990 2014
AttackSophistication
Cross Site Scripting
Password Guessing
Self-replicating CodePassword Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
HijackingSessions
Sweepers
Sniffers
Packet Spoofing
GUIAutomatedProbes/Scans
Denial of Service
www Attacks
Tools
“Stealth”/AdvancedScanning Techniques
Burglaries
DistributedAttack Tools
Staged
CoordinatedDDOS
2000
MobileMalware
SQL Injections
BotnetsRequired
IntruderKnowledge
7
Nature and Frequency of Cyber AttacksAttack Sophistication vs. Intruder Technical Knowledge The amount of knowledge
required to launch very sophisticated attacks is decreasing over time making these threats more severe each day
Recent attacks show increased knowledge and understanding of the technology, infrastructure and systems of their victims
Bad Actors are going after customers, suppliers, and third-parties in addition to direct attacks
Intelligence, external and internal as well as shared knowledge across the industry and governments will be the most effective counter strategies
High
Low
1980 1990 2014
AttackSophistication
Cross Site Scripting
Password Guessing
Self-replicating CodePassword Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
HijackingSessions
Sweepers
Sniffers
Packet Spoofing
GUIAutomatedProbes/Scans
Denial of Service
www Attacks
Tools
“Stealth”/AdvancedScanning Techniques
Burglaries
DistributedAttack Tools
Staged
CoordinatedDDOS
2000
MobileMalware
SQL Injections
BotnetsRequired
IntruderKnowledge
7
Key Adversaries
Hactivists
Motivation: Seek publicity for their geopolitical agenda
Methods: Disruption and Defacement
Cyber Terrorism
Motivation: Instill fear so targets comply with demands or ideology
Methods: Using cyber to “enable” their programs (Recruit, Incite, Train, Plan and Finance). Underground forums allow these groups to easily acquire destructive capabilities
State-Affiliated (Advanced Persistent Threat)
Motivation: Political and technological advantage to improve self interests
Methods: Advanced operations to gain a foothold into a target’s infrastructure. Once a foothold is established, the adversary performs reconnaissance and methodically plans their attack. APT actors often leave back doors to re-establish access to the target in case their primary means is identified and mitigated
Cyber Criminals
Motivation: Make Money
Methods: Very mature underground economy supporting every facet of cyber criminal activity
5
Understanding Information Security Risk
Information Security Risk is determined based on strong assessment of the threats, known vulnerabilities and the assets involved.
External
Nation State
Cyber Terrorists
Cyber Criminals
Hacktivists
Internal
Privileged Users
End Users
Insecure Code and Applications
Toxic Combinations/Over Entitlements
Client Side Software Vulnerabilities
Unauthorized Privileged User Access
Unencrypted Data
Improper Configuration Management
Network and Operating System Software Vulnerabilities
Intellectual Property
Corporate Data
Credentials
Financial Transactions
6
7
MethodsAccording to Verizon, POS compromises were the leading cause of data breaches from 2011-2013. In 2015, their research found that most small organizations were targeted directly through brute forcing (or guessing) the passwords to access the systems; conversely, they found that larger organizations were compromised through a multi-staged attack, where malicious actors gained access to secondary systems and worked their way to POS systems. Common entry vectors include:
• POS Vendors• Direct Retail System Compromises• Third Party Compromise with B2B access
Threat ActorsThe cybercriminals that steal payment card information often sell them on underground forums. The groups behind each malware family can often be identified through their methods and targets. For example, Backoff and Poseidon malware are often used against POS Vendors then spread to retailers through a remote desktop application.
Retail Payment Threats: Point of Sale Systems
2014
Defense ConsiderationsThird Party vendor access management can help reduce the risk of compromise
through this vector. The following, among others are best practices:• Multi-factor authentication• Lockout Policies• Establish Normal Activity• Training for third party vendors
Information SharingPartnerships that facilitate information sharing can be one of the best initial indicators of fraudulent activity, therefore allowing financial institutions, retailers and law enforcement to take action.
8
2014 Data Breaches - US perspectiveASSESSMENT OF RECENT BREACHES
2014 Payment Card Breaches – US perspective2014 saw a mix of attacks on brick-and-mortar establishments and online retailers, often exploiting the remote access tools IT professionals and vendors rely on to maintain payment card systems.
• Criminals have attacked both brick-and-mortar locations and e-Commerce sites -often using stolen or hacked remote administration credentials.
• Any place where payment cards and the internet meet is a potential target.
• Victim retailers rarely find the breach themselves, often found by banks.
• Franchises can present some specific issues regarding payment card theft.
• The financial impact of payment card breaches to institutions is rising year-over-year, with the US being one of the most expensive places to have a data breach.
ASSESSMENT OF RECENT BREACHES
9
EU Payments Landscape and Security
10
Market and Legislative developments and their potential impacts
A number of currently unregulated market players provide services to online merchants in order to facilitate e-commerce payment transactions outside the traditional cards world.
In order to ensure these players are regulated, the Payment Services Directive II, which is in the process of being adopted, introduces these new providers and services to the payment conduct of business rule regime.New key features of PSD 2 therefore include the introduction of third party payment providers (TPPs), which can provide three types of services:1) Payment initiation2) Payment instrument issuance3) Account information services
While technical rules for communication between TPPs and account holding PSPs/banks are still to be developed by the EBA, it appears that the regulators’ intention is to continue to permit TTPs to ‘re-use’ online banking customers’ personalised security credentials in order to access their account, a process which facilitates the services of payment initiation and account information (as well as the provision of credit). For payment instrument issuance the TPP will contact the bank to understand whether funds are available on the customer account. Account holding PSPs/banks will need to ensure additional security, given the threat of potential ‘fake’ TPPs that offer their services and obtain customer credentials in order to empty their account. In all circumstances the account holding TPP/bank remains first port of call for customer issues as well as liability back-stop in case of fraudulent, unauthorised transactions. Whilst TPPs will have to prove their ‘innocence’, this is unlikely to happen in case of a fraudulent intervention.
Threat Implications and Impact on Business
The rise of the cyber threat has wide immediate business implications and significant impacts over the long-term.
Loss of data
Corruption or destruction of data
Unauthorized access
Account takeovers
Compromised systems and applications
Unavailability of services
Reputational loss
Financial loss/fraud
Regulatory compliance incidents and penalties
Client loss
Immediate Implications for the BusinessImmediate Implications for the Business Impact on the BusinessImpact on the Business
11
Intelligence Cycle
Role of Intelligence - ExecutionIntelligence must be an integral part of the decision making process. Intelligence is having the right information, at the right time, and in the hands of the right people.
Intelligence is embedded in the day-to-day work, from the establishment of a customer relationship to the execution of any service.Capturing and understanding the knowledge of employees is the foundation of a successful Intelligence Program.
Output/Deliverables
Inform operational planning and strategic decision-making
Inventory of intelligence resources
Identification of resource gaps, recommendationsfor remediation
Centralized mechanism for ad hoc intelligence data
Regular, frequent updates to senior management and key business stakeholders (e.g. dashboard-type, high-level briefing report)
Intelligence-sharing and knowledge-sharing (lessons learned, etc.)
12
Analysis and Production
Planning and Direction
Processing and Exploitation
Collection
Dissemination Requirements
Active Collaboration
Source: 2008 Federal Bureau of Investigation; www.fbi.gov/about-us/intelligence
Intelligence Involves Forward-Looking Insights
Intelligence
GovernmentRegulatory
Threat Landscape
IndustryTrends
ClientCustomerTrends
Technology Evolution Third Party
Risk
SecurityActivity
IntelligenceContext
DefenseSituational Awareness
Intelligence is built from a mosaic cutting across various views, which helps to identify emerging trends, make informed decisions and predict the next event.
Intelligencehas a short half-life.
+ =
13
ClientCustomerTrends
IntelligenceIndustryTrends
Digital Security is Our Business
Citi invests large amounts annually to help protect client assets. Working with our clients is critical to the integrity of end-to-end security.
Security goes beyond technology and authentication mechanisms to various processes, including:
Maker/checker compliance for transaction authorization
Ensuring business devices are clean and password-protected
Leveraging data for alerts
Payment monitoring and behavior-based blocking tools
Client collaboration is central to maintaining high security
Focus on Partnering End-to-end, Bringing Together Technology and Best Practices
CyberThreat!
Data Privacy
Channel Protection
Transaction Monitoring
14
Digital channels have brought better control, but as we leverage new channels, we need to be at the top of our game and keep ahead of the curve.
The Power of Our Network
CitiDirectBESM OnlineAward winningdigital corporate banking platform live in 96 markets that processes +$30 trillion annually
CitiDirectBESM MobileIndustry leading mobile platform that processed $113 billion in Mobile Payments from on-the-road ICG clients in 2013 alone!
15
IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advice. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot be used or relied upon, by youfor the purpose of avoiding any tax penalties and (ii) may have been written in connection with the "promotion or marketing" of any transaction contemplated hereby ("Transaction"). Accordingly, you should seek advice basedon your particular circumstances from an independent tax advisor.
Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment or firm offer and does not obligate us to enterinto such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to keep confidential the information contained herein and the existence of and proposed terms forany Transaction.
We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address, and taxpayer ID number. We may also requestcorporate formation documents, or other forms of identification, to verify information provided.[TRADEMARK SIGNOFF: add the appropriate signoff for the relevant legal vehicle]
© 2015 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.
© 2015 Citibank, N.A. London. Authorised and regulated by the Office of the Comptroller of the Currency (USA) and authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authorityand limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. All rights reserved. Citi and Citi and Arc Designare trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.
All views, opinions and estimates expressed in this communication (the “Communication”) (i) may change without notice, and (ii) may differ from those views, opinions and estimates held orexpressed by Citigroup Inc., its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel.This Communication is provided for information and discussion purposes only. Unless otherwise expressly indicated, this Communication does not constitute an offer or recommendation topurchase or sell any financial instruments or other products and does not take into account the investment objectives or financial situation of any particular person. Recipients of thisCommunication should obtain advice based on their own individual circumstances from their own tax, financial, legal and other advisors before making an investment decision or taking anyother action and only make such decisions on the basis of the recipient’s own objectives, experience and resources and on the basis of the recipient’s own tax, financial and legal advice. Theinformation contained in this Communication is based on generally available information and, although obtained from sources believed by Citi to be reliable, its accuracy and completenesscannot be assured, and such information may be incomplete or condensed. . It has not been prepared by research analysts, and the information in this communication is not intended toconstitute “research” as that term is defined by applicable regulations. Furthermore, the information in it is general, may not reflect recent developments and was not intended and must not beconsidered or relied on as legal, tax, financial or any other form of advice. Please contact your legal counsel and other advisors if you have any questions or concerns about the mattersaddressed here. No liability is accepted by Citi for any loss (whether direct, indirect or consequential) that may arise from any use of the information contained in or derived from thisCommunication.IRS Circular 230 Disclosure: Citi, its employees and its affiliates are not in the business of providing, and do not provide, tax or legal advice to any taxpayer outside of Citi. Any statements in thisCommunication to tax matters were not intended or written to be used, and cannot be used or relied upon, by any taxpayer for the purpose of avoiding tax penalties. Any such taxpayer shouldseek advice based on the taxpayer’s particular circumstances from an independent tax advisor.Citi specifically prohibits the redistribution of this Communication in whole or in part without the written permission of Citi and Citi accepts no liability whatsoever for the actions of third parties inthis respect.Copyright © 2015 Citigroup Inc. and/or its affiliates. All rights reserved. CITI, CITI and Arc Design, CITIBANK and CITIGROUP are trademarks and service marks of Citigroup Inc. and/or itsaffiliates and are used and registered throughout the worldGRA25586 03/15