when%commercially%reasonable% … · – t.!j.!hooper!v.!northern!barge,!60!f.2d!737!2d!cir.,!1932...
TRANSCRIPT
When "Commercially Reasonable" Collides with "Commercially Available"
Howard Ives – VP, Sales and Business Development
Aaron Bills – COO & Founder, 3Delta Systems
Session 2065: Tuesday, May 15, 2012, 11:00 AM – 12:00 Noon
• Founded in 1999 – Specialize in payment processing for B2B and B2G sectors
• Leader in secure, online purchase-‐card and credit card processing soluHons – Complete suite of payment soluHons designed from the ground-‐up to be scalable,
easy to implement and conform with PCI DSS best pracHces
– Enable merchants and buyers to manage, authorize and sePle payment transacHons in real-‐Hme
• Steady growth – 10,000+ direct acHve corporate and government merchant accounts
– 12 million+ transacHons worth over $12 billion processed per year • Largest single-‐item purchase: $4.15 Million
• Typical intra-‐day volumes: $75 Million / 75,000 transacHons
• Assist organizaHons with AR / AP and supplier enrollment
What We Do
• Threat landscape and the workplace
• Account takeover and corporate risk
• What is “Commercially Reasonable”?
• What is “Commercially Available”?
• What standards have been established?
• Using guidance to reduce risk
Agenda
• Devices – Tablet PCs – Smart phones – Home or other remote systems used to access work assets
• BYOD – Angry Birds, anyone? Fun. Harmless (probably…) – How about “DroidDream”? – February 2012: ApplicaHons bypassing Apple privacy seengs…
• Social Media – Used as recon base for phishers
ConsumerizaIon of the Workspace: Data -‐ Anywhere, Any Device
And, I Can’t Even Get Paid…
From:[email protected] [mailto:[email protected]] Sent: Tuesday, February 22, 2011 7:32 AM To: Doe, John Subject: ACH transacHon rejected The ACH transacHon, recently sent from your checking account (by you or any other person), was cancelled by the Electronic Payments AssociaHon. Please click here to view report -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ OPo Tobin, Risk Manager = = = = = = = = = = = = = = = = = = =
• More breaches, less stolen data?
– Number of breaches almost doubled since 2010 Verizon Data Breach Report
– However, record loss decreases • 361 million >> 144 million >> 4 million
Compromises At All-‐Time High
Verizon 2011 Data Breach InvesHgaHons Report
• It appears cybercriminals are currently saHsfied with compromising Point-‐of-‐Sale (POS) systems and performing account takeovers and Automated Clearing House (ACH) transacHon fraud.
• There has been an increase in these areas in 2010. In relaHon to prior years, it appeared there were more data breaches in 2010, but the compromised data decreased due to the size of the compromised company’s databases.
• This shows willingness in the cybercriminal underground to go aper smaller, easier targets that provide them with a smaller, yet steady stream of compromised data.
Compromises At All-‐Time High
Verizon 2011 Data Breach InvesHgaHons Report
• There has also been a noHceable increase in account takeovers. – This can be directly related to the conHnued rise of the Zeus Trojan and other malware variants created to capture login credenHals to financial websites.
• These account takeovers result in fraudulent transfers from the vicHm’s account to an account under the control of the perpetrator.
Compromises At All-‐Time High
Verizon 2011 Data Breach InvesHgaHons Report
• Uniform Commercial Code – ArHcle 4A, Part 2 governs the issue and acceptance of payment orders as part of the funds transfer process.
• § 4A-‐-‐-‐201. SECURITY PROCEDURE. – "Security procedure" means a procedure established by agreement of a customer and a receiving bank for the purpose of (i) verifying that a payment order or communicaHon amending or cancelling a payment order is that of the customer, or (ii) detecHng error in the transmission or the content of the payment order or communicaHon. A security procedure may require the use of algorithms or other codes, idenHfying words or numbers, encrypHon, callback procedures, or similar security devices. Comparison of a signature on a payment order or communicaHon with an authorized specimen signature of the customer is not by itself a security procedure.
What is Commercially Reasonable?
• § 4A-‐-‐-‐202. AUTHORIZED AND VERIFIED PAYMENT ORDERS. – (b) If a bank and its customer have agreed that the authenHcity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effecHve as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any wriPen agreement or instrucHon of the customer restricHng acceptance of payment orders issued in the name of the customer.
What is Commercially Reasonable? (con’t.)
• § 4A-‐-‐-‐202. AUTHORIZED AND VERIFIED PAYMENT ORDERS.
– (c) Commercial reasonableness of a security procedure is a ques7on of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alterna7ve security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.
What is Commercially Reasonable? (con’t.)
• A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer aper the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in wriHng to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer.
What is Commercially Reasonable? (con’t.)
• Determining the commercial reasonableness of a bank’s security procedure means analyzing the extent to which the bank’s security procedures as applied to that transac/on consider:
– The wishes of the customer as expressed to the bank
– The circumstances of the customer known to the bank, including the transacHonal criteria such as size, type, and frequency of payment orders normally issued by the customer to the bank
– AlternaHve security procedures offered by the bank to the customer
– Conformance with security procedures in general use by customers and receiving banks similarly situated
What is Commercially Reasonable? (con’t.)
• Conformance with security procedures in general use by customers financial insHtuHons similarly situated would seem to be a broad shield against liability
• UCC accepts what is in “general use” as an element of its standard of “commercial reasonableness,” however a plainHff may offer two precedents that impose a higher standard of reasonableness whether such standard is in general use or not.
Beyond “Commercially Reasonable”
• Rulings: – Texas & P.R v Behymer, 189 U.S. 468, 470, 1903, Supreme Court JusHce Oliver Wendell Holmes wrote: “[w]hat usually is done may be evidence of what ought to be done, but what ought to be done is fixed by a standard of reasonable prudence, whether it usually is complied with or not.”
– T. J. Hooper v. Northern Barge, 60 F.2d 737 2d Cir., 1932, JusHce Learned Hand wrote “Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure; a whole calling may have unduly lagged in the adop/on of new and available devices … Courts must in the end say what is required; there are precau/ons so impera/ve that even their universal disregard will not excuse their omission.”
Beyond “Commercially Reasonable”
• Experi-‐metal v. Comerica (2011). Successful phishing aPack led to over $9M in fraudulent transfers; lawsuit by business against bank; judge rules for business staHng “[t]his trier of fact is inclined to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire acHvity earlier.”
• Echoes of the famous T.J. Hooper case (1932) – Tug loses barge and cargo due to storm that came on suddenly – Cargo owner claimed captain was negligent because he had no weather radio • The tools were available, but not used
Selected LiIgaIon Examples
• PCI compliance • Enhanced login tools • Lockout/ pass-‐phrase management • History display • MulHfactor use • Device authenHcaHon • IP address tracking / restricHon • PosiHve pay • Dual controls • Out of band • Many more….
What is “Commercially Available?”
• Many. However, the two prominent ones are:
– Payment Card Industry Data Security Standard (PCI DSS)
• Card-‐centric, sponsored by major credit card brands
• Applies to any enHty that stores, processes and transmits credit card data
• Comprehensive standard that is both policy-‐based and defines technical requirements
• OrganizaHons fully compliant with the PCI have insHtuted a significant number of systems and pracHces to thwart data breach/loss
What Standards Are Established?
— Federal Financial InsHtuHons ExaminaHon Council (FFIEC)
• Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examinaHon of financial insHtuHons [of many types]
• Recent guidance is focused on online banking / transacHon systems provided by the regulated FIs
What Standards Are Established? (con’t.)
PCI Data Security Standard Build and Maintain a Secure Network
1. Install and maintain a firewall configuraIon to protect data 2. Do not use vendor-‐supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensiIve informaIon across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anI-‐virus sohware 6. Develop and maintain secure systems and applicaIons
Implement Strong Access Control Measures
7. Restrict access to data by business need-‐to-‐know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an InformaIon Security Policy
12. Maintain a policy that addresses informaIon security
PCI Summary
• Failure to comply (or cerHfy compliance) with the PCI DSS may result in fines
• Fines for non-‐compliance can be up to $5K -‐ $10K per month
• If you have a data breach and are not PCI compliant, fines can be as high as $500K (MC) or $750K (VISA)
– Merchants may also be responsible for any fraudulent charges resulHng from the breach and the costs of re-‐issuing any cards compromised during the breach
• In theory, you can be precluded from accepHng credit/debit cards if your compliance deficiencies are bad enough
PCI DSS – PenalIes for Non-‐Compliance
• Not every online transacHon poses the same level of risk.
– Retail/Consumer Banking: Since the frequency and dollar amounts of these transacHons are generally lower than commercial transacHons, they pose a comparaHvely lower level of risk.
– Business/Commercial Banking: Online business transacHons generally involve ACH file originaHon and frequent interbank wire transfers. Since the frequency and dollar amounts of these transacHons are generally higher than consumer transacHons, they pose a comparaHvely increased level of risk to the insHtuHon and its customer.
FFIEC Guidance Summary
• Financial insHtuHons should implement layered security, uHlizing controls consistent with the increased level of risk for covered business transacHons.
• Recommend that insHtuHons offer mulHfactor authenHcaHon to their business customers.
FFIEC Guidance Summary
Technical Countermeasures Emphasize Enhanced AuthenIcaIon
• Dual customer authorizaHon through different access devices
• Out-‐of-‐band verificaHon for transacHons
• "PosiHve pay," debit blocks, and other techniques to appropriately limit the transacHonal use of the account
• Internet protocol [IP] reputaHon-‐based tools to block connecHon to banking servers from IP addresses known or suspected to be associated with fraudulent acHviHes
FFIEC Layered Defense SuggesIons
Policy/AcIvity-‐Based Countermeasures Emphasize Usage Management
• Fraud detecHon and monitoring systems that include consideraHon of customer history and behavior and enable a Hmely and effecHve insHtuHon response
• Enhanced controls over account acHviHes, such as transacHon value thresholds, payment recipients, number of transacHons allowed per day and allowable payment windows [e.g., days and Hmes]
• Policies and pracHces for addressing customer devices idenHfied as potenHally compromised and customers who may be facilitaHng fraud
• Enhanced control over changes to account maintenance acHviHes performed by customers either online or through customer service channels
• Enhanced customer educaHon to increase awareness of the fraud risk and effecHve techniques customers can use to miHgate the risk
FFIEC Layered Defense SuggesIons
• Begin with the assumpHon your client’s systems are compromised. – Can you do business?
• Contemporary systems are being developed to robustly and repeatedly answer: – Who are you? (AuthenHcaHon) – Where can you go in the system? (AuthorizaHon) – What can you see when you get there? (AuthorizaHon) – What can you do when you get there? (AuthorizaHon)
• And allow these rights and permissions to be assigned at various levels through the organizaHon with vigorous logging and audiHng capability (AccounHng)
Layered Security Model
• InvesHgate new methods of reducing risk, such as data tokenizaHon as a means of removing the valuable and risky data from systems
– Valuable data is replaced by value-‐less data: Credit card number “4111 1111 2222 3333” is replaced by “PG43J74F” or otherwise useless-‐to-‐the-‐criminal values
– TokenizaHon reduces the scope of PCI efforts as the very presence of a “cardholder data environment” can be reduced or eliminated
Layered Security Model
Why do ants come to a picnic? Its where the food is. Remove the food, ants go away.
• Reduce the chance that customers will be vicHms of fraudulent online transacHons – Even if the client computer is compromised
• Reduce the chance that lawsuits will be filed for loss recovery – Remember also the court of public opinion (reputaHonal harm)
• Demonstrated proacHve posture improves ability to successfully withstand a lawsuit to recover online losses
• Loss and risk reducHon may have potenHal to reduce insurance costs
• Tighten customer relaHonships through client confidence
• Ability to proacHvely market secure posture and Improved compeHHve advantage
Benefits of Aggressive Awareness and AcIon
Presenter
Aaron Bills, COO & Founder
703.234.6011 [email protected]
14151 Newbrook Drive, Suite 200 ChanIlly, VA 20151 www.3DSI.com
Howard Ives –