Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy.

Published byRonald Warren Long Modified over 8 years ago

Similar presentations

Presentation on theme: "Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy."— Presentation transcript:

1 Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy

2 Current and emerging issues Threat Landscape Wider Regulatory Background –Secure Pay & PSD2 –General Data Protection Regulation –eIDAS –ENISA ‘Assumed compromise’ The need for standards –EBA ‘Request for information’ –BSI developments

3 Assume Compromise – Assumed Solution

4 EFFECTIVENESS OF TRADITIONAL, SIGNATURE-BASED ANTI-MALWARE SOLUTIONS Recent malware infection tactics: Drive-by download infection Fake security tool and free scanning services Social engineering – social networks, e.g. Facebook Embed malicious link in email – phishing, pharming and spear phishing type attacks Cracked PDF and document files – embedded link/payload Popular AV signature-based solutions detect on average less than 19% of new malware threats. That detection rate increases to only 61.7% after 30 days Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10

5 ‘Zero Day’ – not so zero New virus sent into wild – Day Zero ………. Spam botnet ……….. Destruction ………... ID Trojan ………… Creation Infection Payload Delivery 1 st Impact Signature Recognition 1 st Recognition of virus as such + circa 30 daysVirus sets to work ISP notices User notices Fraud investigators notice

6 Historic Zero Day – Red October

7 Historic Zero Day - Stuxnet

8 Hypothetical Zero Day – ‘Tim’

9 Legal basis – ‘Tim’

10 ‘Strong’ passwords? Dog’s dinner!

11 Regulations – now – (1 st August 2015) EBA 2014 SecuRe Pay ‘Strong Authentication’ - Mandates multi-factor authentication, but now brings in some interesting caveats, as one or both of these factors: 1) must be mutually independent, i.e. the breach of one does not compromise the other(s); 2) should be non-reusable and non-replicable (except for inherence); 3) designed in such a way as to protect the confidentiality of the authentication data; 4) not capable of being surreptitiously stolen via the internet.

12 Regulatory confusion General Data Protection Regulation Regulation, but with national exemptions Anonymous PETs 4 th Anti-Money Laundering Directive Protecting PII TPP not TTP “very cautious about giving out personal or financial information”

13 AML? DPR? eIDAS? PSD2?

14 Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’

15 Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’ WTF?!

16 Regulations – now – (14 th October ) PSD2 Ratification ‘For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.’ What Techniques Fit?

17 What Techniques Fit?! Could use CAP reader to digitally sign every transaction!

18 Regulations – now – eIDAS Article 8 - Assurance levels of electronic identification schemes 1. An electronic identification scheme notified pursuant to Article 9(1) shall specify assurance levels low, substantial and/or high for electronic identification means issued under that scheme. 2. The assurance levels low, substantial and high shall meet respectively the following criteria: (a) assurance level low/b)substantial/c)high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease/b)decrease substantially/c) prevent … the risk of misuse or alteration of the identity; http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN

19 Regulations – eIDAS (cont.) Article 8 - Assurance levels of electronic identification schemes 3. By 18 September 2015, … set out minimum technical specifications, standards and procedures with reference to which assurance levels low, substantial and high are specified for electronic identification …. Those minimum technical specifications, standards and procedures shall be set out by reference to the reliability and quality of the following elements: (a) the procedure to prove and verify the identity of natural or legal persons applying for the issuance of electronic identification means; (b) the procedure for the issuance of the requested electronic identification means; (c) the authentication mechanism, through which the natural or legal person uses the electronic identification means to confirm its identity to a relying party; (d) the entity issuing the electronic identification means; (e) any other body involved in the application for the issuance of the electronic identification means; and (f) the technical and security specifications of the issued electronic identification means.

20 Need for Standards Adaptable Appropriate Agnostic

21 Need for Standards (cont.)

22 IDAP – Verify ‘Static’ Biometrics on Passports At Enrolment, but not used as a biometric for subsequent authentication

23 IDAP – Verify ‘Static’ Biometrics on Passports At Enrolment, but not used as a biometric for subsequent authentication

24 Implementing Biometrics – PAS92 Choice of Biometrics – Multi-Modality E.g. potential for 8 biometric samples from a short video

25 Implementing Biometrics

26 Real world Biometrics Use FBI Most Wanted

27 Unreal world Biometrics Use FBI Most Wanted

Download ppt "Security issues DT Fraud Conference 24 th March 2016 Andrew Churchill Technology Strategy."

Similar presentations

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Authentication & Kerberos

Authentication & Kerberos
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Bank Crime Investigation Techniques by means of Forensic IT

Bank Crime Investigation Techniques by means of Forensic IT
INTRODUCTION Coined in 1996 by computer hackers. Hackers use e-mail to fish the internet hoping to hook users into supplying them the logins, passwords.

INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.
Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.

Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,

Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
ITU-T X.1254 | ISO/IEC 29115 An Overview of the Entity Authentication Assurance Framework.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.

0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
Awicaksi E-Commerce Security & Payment System E-Commerce.

Awicaksi E-Commerce Security & Payment System E-Commerce.

Similar presentations

Ads by Google