Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy.

Slides:

Advertisements

Similar presentations

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Advertisements

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Authentication & Kerberos

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

FIT3105 Security and Identity Management Lecture 1.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Bank Crime Investigation Techniques by means of Forensic IT

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.

Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.

Awicaksi E-Commerce Security & Payment System E-Commerce.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

Identity Assurance Emory University Security Conference March 26, 2008.

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Internet Security. 2 Computers on the Internet are almost constantly bombarded with viruses, other malware and other threats.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

The role of the EBA The EBA was established by Regulation (EC) No. 1093/2010 of the European Parliament and EU Council; came into being on 1 January 2011;

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

PSD2 and W3C Impact for account and payment processing.

Combating Constantly Evolving Advanced Threats – Solution Architecture Mats Aronsson, Nordic Technical Leader Trusteer, IBM Security.

1 Outline of this module By the end of this module, you will be able to: – Understand what is meant by “identity crime”; – Name the different types of.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

Safe Computing Practices. What is behind a cyber attack? 1.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

The Future Digital Identity Landscape in Europe Timothée Mangenot, chairman 14th of December, 2015 ACSIEL partners day.

CNP Fraud. Occurs when a fraudster falsifies an application to acquire a credit card using an individual’s personal information. (Eg: postal intercept)

2 PSD2- C HALLENGES AND OPPORTUNITIES Pascale-Marie BRIEN– Senior Policy Adviser.

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Technical Implementation: Security Risks

Principles Identified - UK DfT -

Cyber Crime in the Real Estate Industry

Suggestion for Summarizing Process of the Principles

Fusion Center ITS security and Privacy Operations Joe Thomas

Identity on the Internet

IT Security, Crime, Compliance, and Continuity

Lecture 5. Security Threats

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Jack J. Bensimon Countering Identity Theft and Synthetic Identities:

Securing Information Systems

Jon Peppler, Menlo Security Channels

Security in Networking

Risk of the Internet At Home

Cyber Issues Facing Medical Practice Managers

European Citizens’ Initiative, Commission regulation proposal Focus on IT aspects Jérôme Stefanini DIGIT.B.2 05/06/2018.

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Red Flags Rule An Introduction County College of Morris

Maryna Komarova (ENST)

Chapter 9 E-Commerce Security and Fraud Protection

INFORMATION SYSTEMS SECURITY and CONTROL

Threats Facing Industry –

Anatomy of a Large Scale Attack

Appropriate Access InCommon Identity Assurance Profiles

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Security in mobile technologies

1.2.2 Security aspects • Show understanding of the security aspects of using the Internet and understand what methods are available to help minimise the.

Unit 1.6 Systems security Lesson 1

Colorado “Protections For Consumer Data Privacy” Law

Digital Signatures Network Security.

Project leader: Richard Morton Lead Editor: Jalal Benhayoun

Cybersecurity Simplified: Phishing

Presentation transcript:

Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy

Current and emerging issues Threat Landscape Wider Regulatory Background –Secure Pay & PSD2 –General Data Protection Regulation –eIDAS –ENISA ‘Assumed compromise’ The need for standards –EBA ‘Request for information’ –BSI developments

Assume Compromise – Assumed Solution

EFFECTIVENESS OF TRADITIONAL, SIGNATURE-BASED ANTI-MALWARE SOLUTIONS Recent malware infection tactics: Drive-by download infection Fake security tool and free scanning services Social engineering – social networks, e.g. Facebook Embed malicious link in – phishing, pharming and spear phishing type attacks Cracked PDF and document files – embedded link/payload Popular AV signature-based solutions detect on average less than 19% of new malware threats. That detection rate increases to only 61.7% after 30 days Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10

‘Zero Day’ – not so zero New virus sent into wild – Day Zero ………. Spam botnet ……….. Destruction ………... ID Trojan ………… Creation Infection Payload Delivery 1 st Impact Signature Recognition 1 st Recognition of virus as such + circa 30 daysVirus sets to work ISP notices User notices Fraud investigators notice

Historic Zero Day – Red October

Historic Zero Day - Stuxnet

Hypothetical Zero Day – ‘Tim’

Legal basis – ‘Tim’

‘Strong’ passwords? Dog’s dinner!

Regulations – now – (1 st August 2015) EBA 2014 SecuRe Pay ‘Strong Authentication’ - Mandates multi-factor authentication, but now brings in some interesting caveats, as one or both of these factors: 1) must be mutually independent, i.e. the breach of one does not compromise the other(s); 2) should be non-reusable and non-replicable (except for inherence); 3) designed in such a way as to protect the confidentiality of the authentication data; 4) not capable of being surreptitiously stolen via the internet.

Regulatory confusion General Data Protection Regulation Regulation, but with national exemptions Anonymous PETs 4 th Anti-Money Laundering Directive Protecting PII TPP not TTP “very cautious about giving out personal or financial information”

AML? DPR? eIDAS? PSD2?

Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’

Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’ WTF?!

Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’ What Techniques Fit?

What Techniques Fit?! Could use CAP reader to digitally sign every transaction!

Regulations – now – eIDAS Article 8 - Assurance levels of electronic identification schemes 1. An electronic identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic identification means issued under that scheme. 2. The assurance levels low, substantial and high shall meet respectively the following criteria: (a) assurance level low/b)substantial/c)high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease/b)decrease substantially/c) prevent … the risk of misuse or alteration of the identity;

Regulations – eIDAS (cont.) Article 8 - Assurance levels of electronic identification schemes 3. By 18 September 2015, … set out minimum technical specifications, standards and procedures with reference to which assurance levels low, substantial and high are specified for electronic identification …. Those minimum technical specifications, standards and procedures shall be set out by reference to the reliability and quality of the following elements: (a) the procedure to prove and verify the identity of natural or legal persons applying for the issuance of electronic identification means; (b) the procedure for the issuance of the requested electronic identification means; (c) the authentication mechanism, through which the natural or legal person uses the electronic identification means to confirm its identity to a relying party; (d) the entity issuing the electronic identification means; (e) any other body involved in the application for the issuance of the electronic identification means; and (f) the technical and security specifications of the issued electronic identification means.

Need for Standards Adaptable Appropriate Agnostic

Need for Standards (cont.)

IDAP – Verify ‘Static’ Biometrics on Passports At Enrolment, but not used as a biometric for subsequent authentication

IDAP – Verify ‘Static’ Biometrics on Passports At Enrolment, but not used as a biometric for subsequent authentication

Implementing Biometrics – PAS92 Choice of Biometrics – Multi-Modality E.g. potential for 8 biometric samples from a short video

Implementing Biometrics

Real world Biometrics Use FBI Most Wanted

Unreal world Biometrics Use FBI Most Wanted