Information Security in the Debt Collections Industry

1. Information Security in the Debt Collections Industry Securing Data Transmitted to External Partners March 13th, 2010

2. XYZ, a Debt Collections Company • The market leader Debt Collections firm with over $800 million in Market Capital • Employs Debt Collections in many areas, including bankruptcy and credit debt, auto recovery, municipal accounts • Purchases and manages debt for major clients such as Bank of America, Chase, HSBC, Toyota and GMAC • Complies with Federal Trade Commission regulations: • Fair Credit Reporting Act • Fair Debt Collection Practices Act MSIT 458 - FTM Group

3. XYZ Brand XYZ is a secured and trusted partner of many Banks and Finance Companies • Strives to build relationships with the “debt sellers” • Make debt sales “pain free” for the Sellers • Ensure Data Security • Employ scoring model on potential debt purchase to negotiate with the Sellers • To achieve the goal of collecting on debts, XYZ is “in the business of purchasing information” MSIT 458 - FTM Group

4. Business Problem XYZ is forced to use various data transmission and receipt methods set by some external partners to maintain strong relationships. Because of this, the XYZ must address each data transmission and receipt method in their security policy and focus on internal efforts to protect their data. MSIT 458 - FTM Group

5. Data Flow for Debt Collections MSIT 458 - FTM Group

6. Data Transmission Methods • Email • FTP • HTTP / Secured Website MSIT 458 - FTM Group

7. Business Process: Email Incoming Records from Debt Sellers Stored Locally: Hard drives and Servers Name SSN Debt Acct # Debt Amounts Phone Number Address MSIT 458 - FTM Group

8. Email Transmission: External To Third Parties • To Lawyers/ Courts MSIT 458 - FTM Group

9. Email Transmission: Types of Threats MSIT 458 - FTM Group

10. Data Transmission Methods • Email • FTP • HTTP / Secured Website MSIT 458 - FTM Group

11. FTP Channel: Purpose & Usage What is FTP? FTP: file transfer protocol (application layer) based on a client/server architecture that is used to transfer (download/upload) files over network (public/private). Company Profile: FTP > Usage (internal & external): frequently-heavily > Type of data: large files with highly sensitive PII > User community: wide diversity (business/technical) ~ 40 users > Landscape: software/hardware/network > Top concerns: Security, Automation, Intuitiveness, & Reliability MSIT 458 - FTM Group

12. FTP Channel: Current Challenges • Pressing concern: • FTP is inherently not secure • Common Attacks • Injection Attack • Bounce Attack • Brute Force Attack • Steal Attack Name: Troj/JSRedir-R Spreads: Web browsing Prevalence: High Detected: 04/30/2009 Category: Virus/spyware Type: Trojan MSIT 458 - FTM Group

13. Data Transmission Methods • Email • FTP • HTTP / Secured Website MSIT 458 - FTM Group

14. Forms of External Communication • PACER • Use website to upload court documents • Debt Sellers • Use secured websites to download/upload information in various formats • Law Firms • Use of Automated Collection Controls document management outsourcing MSIT 458 - FTM Group

15. Hypertext Transfer Protocol (HTTPS) • Used to create secure communication over an unsecure network. • Not a new protocol per se, but a combination of HTTP over Transport Layer Security (TLS) over port 443. • TLS uses RSA public key encryption in 1024 or 2048 bit key lengths. • The client downloads a signed public key certificate with is authorized by a certificate authority. MSIT 458 - FTM Group

16. Possible Attack Vectors • JavaScript (PACER) • Execution of malicious code that could exploit a security risk • Web Browsers (PACER, Debt Sellers, Law Firms) • Malicious plug-ins can exploit user’s machines. • Operating Systems (PACER, Debt Sellers, Law Firms) • Although this attack’s magnitude has been mitigated over the years, patch management and application is still an important security policy MSIT 458 - FTM Group

17. HTTPS attacks are possible! • In September of 2009 a Microsoft API was exploited to create forged CA certificates. • User accepted forged certificate automatically. • This attack affected Internet Explorer, Safari, and Chrome before patch. • Author of SSLSNIFF software demonstrated this attack! • His PayPal account was revoked after demonstrating the attack to eBay. Jerks! MSIT 458 - FTM Group

18. Consequences and Costs MSIT 458 - FTM Group

19. Legal Implications and Costs Major Fines are levied by the FTC for ineffective controls: • FTC fines Rental Research Services $500,000 for “unfair acts or practices” in violation of FTC Acts. • FTC fines ChoicePoint for data breaches ranging from $275,000 to $500,000 on separate occasions Damaged relationships with Sellers could be catastrophic to XYZ (Brand Equity) MSIT 458 - FTM Group

20. Data Security Costs • According to a study by the Ponemon Institute, “cost of a data breach rose for the fifth year to $204 per compromised record” • Data Breach expenses are not occurring in companies as often as in the past • In the same study, 42% of companies surveyed stated the biggest threat was “mistakes made by third party vendors and company partners” • Largest breach: over 100,000 records = $31 million cost to the breached firm MSIT 458 - FTM Group

21. Recommendation for XYZ and Data Security SLOW STOP GO MSIT 458 - FTM Group

22. Unified Solution • Policies • Firewall Appliance • Proxy capabilities • IDS/IDP • Anti-virus scanning Email Https FTP Email Https FTP Email Https FTP Email Https FTP MSIT 458 - FTM Group

23. Unified Solution • Host Level Antivirus • Client Software • Specified User Accts Email Https FTP Email Https FTP Email Https FTP MSIT 458 - FTM Group

24. Solution Cost Analysis Estimated Users: 400 Total Sites: 3 Grand Total: $28,700 MSIT 458 - FTM Group

25. QUESTIONS MSIT 458 - FTM Group