1 / 25

LAPERS Seminar 2019

LAPERS Seminar 2019. Cybersecurity and Tools to Combat Payment Fraud. John Murphy, PhD. September 2019. Global Head of Security Strategy an Architecture. Don Bobeck. Head of Benefit Disbursements. Introduction*.

mreyes
Download Presentation

LAPERS Seminar 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LAPERS Seminar 2019 Cybersecurity and Tools to Combat Payment Fraud John Murphy, PhD. September 2019 Global Head of Security Strategy an Architecture Don Bobeck Head of Benefit Disbursements

  2. Introduction* *The views expressed here are my own, and are not endorsed, sponsored or supported by BNY Mellon.

  3. The Impacts from Cyber Breaches Continue to be Felt Across the Industry Equifax 143M Records Capital One (2019)– 100MM records – Impact – Data stolen: Social Security numbers, full names, addresses, dates of birth, additional credit card application data. Method– Configuration Exploit. Actors– Possible Malicious Insider NSA Equifax (2017)– 143MM records – Impact – Stolen Social Security numbers, drivers license numbers. full names, addresses, dates of birth, credit card numbers, and other personal information. Method – Unpatched Vulnerability. Actors - Unknown Anthem 80M Records NSA Hacking Tools Leak (2017)– Impact – 0-day Vulnerabilities and Tools – Data stolen: Multiple tools and critical unpatched vulnerabilities. Possible source of WannaCry exploit. Method– Unknown. Actors – Shadowbrokers (suspected Russian State Actors) US OPM 21.5M Records Mossack Fonseca (2016)– 11.5MM records – Data stolen: Legal and financial documents for government and wealthy private customers, release known as the “Panama Papers”. Method – Unpatched Vulnerability. Actors – Unknown Hacktivist Actor Mossack Fonseca 11M Records Anthem Health – 80MM records – Impact – Stolen personal data; Social Security numbers, full names, addresses, dates of birth, additional healthcare personal data. Method– Phishing, Typosquatting, Malware. Actors – Nation state suspected Capital One 100M Records US IRS US Office of Personnel Management (2015) – 21.5MM records – Impact: Stolen data Social Security numbers, full names, addresses, dates and places of birth, security clearances. Method – Unpatched Vulnerability. Actors - Unknown US Internal Revenue Service (2015)– 700K records – Impact: Stolen data used to gained access to tax returns, with fraudulent tax returns filed, generating nearly $50 million in refunds. Method – Insufficient User Verification Processes. Actors – Cyber Criminals

  4. Who Are We Facing? Institutions are under constant attack by continuously evolving adversaries Who They Are How They Do It Nation State Actors • N. Korea, Russia, China • Intellectual property • Cripple/disrupt services Insider- Coordinated Breach Social Engineering SOC SOC SOC SOC SOC • Ransomware • Financial Gain • Intellectual Property Cyber Criminals What They Target Web Facing Application Vulnerabilities Compromised Malware Infection Through Email • Customer account information and credentials • Potentially sensitive information such as investment strategies • Confidential correspondence • Loss of confidence in financial institution • Disruption of services • Destruction of data and IT assets • Financial Gain • Disrupt Services • Destroy Data Insiders Credential Theft Through Phishing Exploit Internal and Third Party Vulnerabilities • Disrupt Services • Financial Gain • Gain Reputation Recreational Hackers Distributed DoS Attacks and Ransom Anonymous Whistleblower, e.g., Wikileaks Hacktivists • Disrupt Services • Further Cause • Reputational Loss

  5. The consequences of an attack can reverberate across an organization, an industry, or the world Disruption of Operations • Breakdown of Critical Infrastructure (National / Global Economies) • Slowed-Down, Interrupted or Stalled Operations • Lost / Compromised Competitive Advantage • Eroded Client and Consumer Confidence • Tarnished Reputation • Financial Losses Destruction of Data • Diminished Shareholder Value Proprietary and Confidential Data Exposure Proprietary and Confidential Data Theft Theft and Fraud

  6. Proliferation of technology has created an expansive attack surface with a changing perimeter… Client’s Third Party Vendors Employee Employee Third Party Vendors’ Vendors Clients Business Contacts Third-Party Vendors Social Media Recruiting Data Storage (Cloud) Friends Test or Virtual Environments Data Storage (Tech Centers) Employee Corporate Platforms Family Data Storage (Portable) Cell Phone Knowledge Management Systems Laptop Marketing Corporate Fleet Tablet Social Media Website

  7. …and attacks can occur at any point across the entire attack surface Client’s Third Party Vendors Employee Employee Third Party Vendors’ Vendors Clients Business Contacts Third-Party Vendors Social Media Recruiting Data Storage (Cloud) Friends Test or Virtual Environments Data Storage (Tech Centers) Employee Corporate Platforms Family Data Storage (Portable) Cell Phone Knowledge Management Systems Laptop Marketing Corporate Fleet Tablet Social Media Website

  8. Financial Services is a Top Target for Attackers • $3.62 million is the average total cost of data breach • $141 is the average cost per lost or stolen records • 27.7% is the likelihood of a recurring material data breach over the next two years Financial Services as a Percent of Key Industries investigated by Mandiant in 2018. The next highest Industry is Business and Professional Services at 17% 23% 2018 M-Trends - Mandiant 2017 Cost of Data Breach Study - Ponemon Who are Behind the Attacks? What Tactics Do They Use? Breaches Featuring Hacking (61%) Breaches Including Malware (51%) Hacking-Related Breaches Leveraging Either Stolen and/or Weak Passwords (81%) Featured Social Attacks (43%) Errors as Causal Events of Breaches. The Same Proportion Involved Privilege Misuse (14%) Where Physical Actions Were Present in Breaches (8%) Perpetrated By Outsiders (75%) Involved Internal Actors (25%) Conducted By State-Affiliated Actors (18%) Featured Multiple Parties (3%) Involved Partners (2%) Involved Organized Criminal Groups (51%) 2017 Cost of Data Breach Study - Ponemon Institute 2017 Data Breach Investigations Report - Verizon 2017 Data Breach Investigations Report - Verizon Data compromised 71% Credentials 12% Payment 9% Personal 8% Other Actor motives 96% Financial 1% Espionage 3% Other 2017 Data Breach Investigations Report - Verizon 2017 Data Breach Investigations Report - Verizon

  9. 2018 Cost of Cyber Crime Ransomware Total Cost • $600 Billion • $1,138,888/minute • $171,233/minute spend by business on information security • Globally, the cost of cybercrime on large business ranged from 11.7 Million/year • Ranging from $222/minute • Costs to Organizations • $8 Billion • $15,221/minute • 1,274 new malware variants/minute Malware Cybercrime Victims Records Leaked • 1,861/minute • From publicly disclosed incidents • 2.9 Billion/day • 5,518/minute Source: RiskIQ

  10. Attacks and Metrics Only 7% feel they face a threat from nation-states or sponsored attackers, and only 34% feel the threat is "advanced". 55% believe the threat is purely accidental, and only 12% believe the threat is intentional. 68% of industrial customers feel they are well prepared for an attack. 38% believe they’ve never had an incident. WHAT THE INDUSTRY THINKS 66% of industrial sectors face either a high or medium capability threat, typically associated with nation-states or sponsored attackers. 35% of incidents can be attributed to malware, while another 36% are unknown. Only 38% of facilities are using network based threat detection or advanced monitoring. Only 18% are using application whitelisting Only 21% are planning to implement further controls within the next 18 months. WHAT WE’VE SEEN Highly advanced threats can be bought. Access to cybercrime infrastructure is available by subscription. Direct access to control systems can be purchased from cyber crime organizations. 20% of exploits from a recent campaign used exploits known to be used in targeted attacks against industrial systems. 58% of exploits provided remote access and visibility to criminal subscribers. WHAT THE EXPERTS KNOW 30% believe that USB drives are the largest threat factor 39% of malware enters the ICS via USB device. Once in the ICS, malware can morph into highly targeted attacks.

  11. What Types of Attacks and Defenses? Sizing the Market $386 Billion Spent on Securing PCs $172 Billion Spent on Securing IoT Devices $113 Billion Spent on Securing Mobile Devices An estimated $655 billion will be spent on Cybersecurity initiatives to protect PCs, mobile devices and IoT devices between 2015 and 2020 Attacks Defense Network Defense Keeps Hackers from infiltrating and navigating through corporate networks to find and steal critical data Targeted Attacks Use a variety of hacking methods to methodically attack a predetermined user or organization 51% 49% Zero Day Attacks Target software vulnerabilities yet to be discovered and patched 41% Endpoint and Mobile Device Protection Prevents hackers from compromising individual devices 50% Cloud Data Leakage Is when employees upload sensitive company information to cloud services like Dropbox and Github 38% Data in Motion Defenses Includes protecting data while it’s being sent from on device to another 47% Mobile Malware Is specifically designed to target the operating system on mobile devices, allowing hackers to steal data on the device 38% Data at Rest Defenses Includes protecting data when it’s stored in corporate devices or databases 47% SQL Injection Is an attack method that allows hackers to execute malicious code on a server allowing them to steal or delete data stored on that server Analysis and Correlation Tools Helps monitor the flow of data through corporate networks and databases to find suspicious activity. 46% 37% Source: Intelligence.businessinsider.com

  12. Financial Industry Concerns Chain of Impact • The interrelationships between financial industry participants are complicated and have the potential for a cascade of effects should a large industry participant be impacted • The effects of the 2017 Equifax breach are still being felt and the long term magnitude of the impact is expected to be very high. • Events affecting a single partner have far-reaching impact. Systemic risk is greater than the reputational impact of a single affected provider. Vendor Dependencies • The ecosystem of partners, both between industry participants and their technology, legal and business affiliations creates the potential for high impact following a seemingly non-impactful event • The breach of Mossack Fonseca, resulting in the “Panama Papers” demonstrates the power a single large entity can effect for a partner that underpins the relationships between a diverse set of market participants • The influence of one vendor in a sea of multiple vendors must be understood Aging Technologies • Many financial industry participants may introduce risk through their use of aging technologies, such as mainframes and minicomputers • The expertise to maintain these older systems is fading and companies are tasked with moving from once reliable systems with known and maintained codebases to shoring up systems and replacing a retiring workforce

  13. Personal Information and the cost of legislation – CCPA and GDPR

  14. What are the components of a good Cyber Program?

  15. Evolve your Cybersecurity Efforts Into an Organic and Highly Dynamic Program integrated across your Business Industry Challenges Recommended Strategy • Integrate your cyber program and technology with your businesses • Establish transparency to drive ownership by reporting and measuring your cyber risk against uplift capability targets, key milestones, and adoption • Hold yourselves and your businesses accountable for shaping and using your cyber services • Continuous evolution over time to address emerging threats • Traditional technology-driven approaches to cybersecurity are not enough • In the new world, cybersecurity is a technology and business problem

  16. Our Cybersecurity Service Model (CSM) is based on Industry Frameworks

  17. Cybersecurity Starts at Home

  18. Fraud, Fraud Prevention and Education Shift in Industry Physical Controls Combating Fraud Educating Plan Participants Additional Safeguards

  19. Fraud in Pension / 401(k) Industry In our industry there has been a shift from fraud attempts against the plan to the plan participants • Check fraud schemes are constantly evolving in attempt and appearance • 2013 there were 441 attempts with a value of $1.4 million • 2019 there were 301 attempts with a value of $500k Identity theft involving retirement accounts appears to be increasing • Personal information readily available on-line • Data breaches expose personal information • Lack of knowledge can lead to vulnerability This can encourage attempted account takeovers, where fraudster seeks to gain control of a retirement account without the account owner being aware With anything of value, you have to guard against theft and fraud

  20. Fraud and Prevention Used to be More Straightforward Fraud Type Fraudulent checks Contains accurate DDA, transit routing number and Client’s name Inaccurate check number, date, amount and payee Duplicate fraudulent checks Contains accurate transit routing number, DDA, check number, date and amount Inaccurate physical appearance Washed checks Original check with altered payee name Duplicate check with altered payee name Forged endorsements Fraud Prevention Positive Pay – Technology that helps monitor the processing of disbursement items and aids in the identification of suspect checks by comparing critical data elements such as: Valid issuance on file Abnormally large amounts Checks out of current serial range Stopped/Voided checks Positive Payee – leverage Positive Pay to include comparison of payee name and first line of address against issuance file to systemically reject potentially fraudulent checks Claim against bank of first deposit Physical Checks

  21. Combating Fraud Today Evolution and Education Enhance authentication past traditional fields: Name Address Date of birth SSN Consider including: personal identification number Security questions Security phrase Discontinue ACH distributions on 401K withdrawals Adding confirmation step to web withdrawals before releasing funds Call Center Mail Email containing confirmation link using original email on file Limit portal edits or changes: Email address Name on account Education for plan participants Ensure security is current: Encryption standards Federal Financial Institutions Examination Council (FFIEC) compliant 3rd party penetration testing Change confirmation notices Consider limiting access points if utilizing single sign on Prevent or alert administrator for toxic request combinations; New account registration, ACH change and withdrawal New device, payment change and withdrawal Call Center Portal Access Plan Considerations

  22. Educating Plan Participants Portal Best Practices Regularly check your retirement account. • Account balance • Account trades, deposits and withdrawals • Listed addresses, phone numbers and emails. • Promptly notify the company if there’s a problem. Don’t ignore notices about account changes. Avoid using public computers or Wi-Fi to access your account. Secure all electronic devices. Add email/text alerts on account to notify you when account information has changed. Use a strong password for online access to the account. It should be different from other passwords you have. Avoid choosing security questions that scammers could find the answers to online or in social media. Use two-factor authentication to gain access to your account, if available. This involves one-time access codes emailed or texted to the account holder.

  23. Additional Safeguards • Unlike bank accounts backed by FDIC and credit cards that may carry zero liability policies, retirement accounts are notsimilarly protected • Providers may offer free of charge, cyber-fraud insurance on account balances • Know what to do if you become a victim; • Alert local police, in some cases the FBI • Contact the companies and banks wherethe fraud occurred • Read fraud alerts and regularly review your credit reports • Report identity theft to the Federal Trade Commission

  24. Contact Us John B. Murphy, Ph.D. Managing Director Global Head Security Strategy and Architecture BNY Mellon Technology Information Security john.b.murphy@bnymellon.com Don Bobeck Managing Director Head of Benefit Disbursements BNY Mellon Operations Benefit Disbursements don.bobeck@bnymellon.com

More Related