See How Financial Institutions Respond to the Latest Threats

From skimming and POS attacks to ACH fraud and payment card hacks, 2010 was “The Year of Fraud,” and the year’s incidents have left banking institutions and their customers anxious for new solutions to prevent fraud in all its forms.

In response to the growing fraud threats – and to the demand for new solutions – Information Security Media Group just concluded its latest survey, “The Faces of Fraud: Fighting Back.”

This is the Executive Summary of the survey results and what they suggest for fighting fraud in 2011.

One of the most telling responses of the survey is to this question:

When is a fraud incident involving your organization usually detected?

In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach – and despite what we’ve all learned about customer confidence and loyalty in the wake of fraud incidents such as the Heartland Payment Systems breach …

More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers.

This response underscores the need for better fraud detection – before the incidents strike the customer — and it sets the tone for the survey results, which break down into four main themes:

The Faces of Fraud: Today’s Top Threats – What are today’s top threats? Which threats do institutions feel most prepared to face? What impact have we seen from highly-publicized ACH/wire fraud incidents?

Cross-Channel Fraud: The Great Mystery – Industry analysts tell us that cross-channel fraud is the growing trend. That no longer are fraudsters targeting just ATMs or payment cards or checks – they’re seeking to compromise your customers in every way you interact with them. But how prepared are institutions to measure and respond to these cross-channel threats?

Resources: The Ongoing Challenge — It’s been a tough two years for banking. As a result of the global recession and U.S. financial crisis, human and fiscal resources have been hard to come by for banking institutions. Yet, the survey results show encouraging trends on both fronts.

Need for Awareness, New Tools – If there is one overriding theme of this survey, it’s this: Respondent’s recognize that awareness programs – for employees and customers alike – as well as fraud detection and prevention tools, are their best weapons to fight fraud. Their challenge is to find the right tools and take the right approaches to awareness.

Download the Executive summary report to get an insight for the above.

http://docs.ismgcorp.com/files/handbooks/Fraud-Survey-Summary-2010/Fraud-Survey-ExecSummary.pdf

Source: Bankinfosecurity

by Renee Chronister, CEO, Parameter Security

Here’s another heart-stopper. The latest Ponemon Institute study reveals 60% of healthcare providers had more than 2 security breaches in the last year with the average breach costing them $2 million. Whoa! It then goes on to state that 70% of hospitals say protecting patient data is not a priority.

Healthcare providers in the Ponemon study also say they lack resources, trained personnel, policies and procedures to safeguard patient records. 58% claim they have little or no confidence in their ability to protect records in their possession. Forget WikiLeaks, as a hacker, this is music to my ears.

So what this really means for healthcare is that something has got to change. Specifically, the mindset that data security is not a priority and that all I have to be is HIPAA compliant to be secure. Well, I hate to be the bearer of bad news but I can’t tell you how many times I’ve hacked HIPAA compliant healthcare providers but I guess telling your patients, personnel and anyone else affected by the data breach that “I was HIPAA compliant” is better than “Data security isn’t a priority” but I’m guessing that will still go over like a lead balloon.

So the real question here should be: How am I going to improve data security? The answer (and read carefully): SECURITY. Did you get it? When it comes to improving data security, U R IT.

From an ethical hacker’s perspective (thought it was time to add “ethical” so you could breathe a little easier), security is two-fold – Internal and External. So let’s start with some internal security measures.

Background Checks for Employment

Knowing who you are hiring can help mitigate security risks. Organizations need to ensure they work better to screen those who will be handling sensitive data.

Case & Point: University of Texas Medical Branch

Using a stolen identity to gain employment at UTMD’s medical biller, MedAssets, Katina Rochelle Candrick helped herself to up to 2,400 UTMD patient records.

Access & Permissions

Unless an employee needs access to sensitive data to successfully complete their job function, they shouldn’t have access. Levels of access controls need to be implemented. Meaning, a receptionist/front desk person should have not have the same access permissions to patient data or any other sensitive data that a doctor would have access to.

Case & Point: Community Hospital of San Bernardino

Community Hospital of San Bernardino, failed to prevent unauthorized access of 204 patients’ medical information by one employee. The same hospital also failed to prevent unauthorized access of three patients’ medical information by one employee in a separate incident.

Physical Security

Physical Security is just as important as electronic security. You need a gate keeper. In fact, all employees at your healthcare organization need to be gate keepers. Don’t let just anyone wander into the office; question why they are there; do not leave laptops or any other mobile device for that matter unattended so that they grow legs; and create and put into place physical security measures to protect your fort.

Case & Point: AvMed Health Plan

More than 200,000 AvMed Health Plan subscribers’ sensitive personal information fell into the wrong hands after a pair of laptops were stolen from a conference room at the company’s corporate headquarters. The laptops contained current and former subscribers’ names, addresses, Social Security numbers and health information.

Creating & Enforcing Policies & Procedures

Creating security policies and procedures is necessary and all employees need to be made aware of what these policies and procedures are. Once that happens, it is essential to ensure these policies and procedures are adhered to, otherwise it’s a waste of time and paper if they are not enforced.

Case & Point: Cardinal Health

The buyer of a laptop sold on eBay contacted Cardinal Health to tell them the used laptop that he/she purchased online contained company information. According to Cardinal Health’s policies, data on decommissioned computers are to be securely deleted by their IT department and then securely destroyed by a vendor. Rather, an employee in their IT department said he had not properly destroyed the data nor did he send it to a third-party to destroy and, in fact, had sold it on eBay.

End-User Security Awareness Training

Common sense isn’t so common anymore. Training employees on what sensitive data is and what it isn’t is a start but training them on what can and can’t leave the premise and when it can, how it can, is another story.

Case & Point: Keystone Mercy Health Plan & AmeriHealth Mercy Health Plan

A flash drive was taken to a community health fair by an employee of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan which then turns up missing. On this flash drive – 280,000 Medicaid recipients’ information including names, addresses, personal health information and even social security numbers.

IT Staff Security Training:

Sorry to burst everyone’s bubble but IT doesn’t know everything. If they did, these back-up tapes and disks would never have left the premise let alone been left unattended in the IT guy’s car. Proper IT staff security training is essential to better lock down networks, wireless, mobile devices and more. These people can help or harm your data security just as the typical end-user can.

Case & Point: Providence Home Services, a Division of Providence Health System

An IT employee was fired in connection with the theft of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients. A Providence Home Services IT department worker took backup tapes and disks home as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions, lab results, social security numbers and patient financial information.

Vendor Due Diligence

Just because a vendor can do something doesn’t mean they should. Again, knowing who you do business with is important because even though you are using a third-party, they do not assume complete liability for a security breach. You do. (U R IT)

Case & Point: South Shore Hospital & Archive Data Solutions

800,000 records containing sensitive, personal health and financial information were compromised when South Shore’s data management company, Archive Data Solutions, lost backup tapes containing copies of the hospital’s most sensitive databases created between 2006 and early 2010. On these tapes were: names, addresses, phone numbers, birth dates, social security numbers, patient health information and bank account data.

Destruction of Medical Records

Anyone heard of shredding? How about HIPAA compliance? When you are dealing with sensitive data proper disposal of data files – electronic or paper – has to occur. You are ultimately responsible for that data.

Case & Point: Avalon Center

An Erie County worker tossing garbage into a dumpster discovers odd boxes filled with files containing Avalon patient medical records. Files included full names, addresses, social security numbers and diagnosis information left in the trash for anyone to access.

External Security Controls

Penetration Testing

Knowing your weaknesses and remediating them is better when discovered before a hack instead of after. Even your best IT people can leave a hole in network security on a bad day and/or because they are fighting the functionality vs. security battle. Regardless, identifying your weaknesses by emulating a real-world hack with a penetration test and fixing them before disaster strikes is better than becoming the next media headline.

Case & Point: Express Scripts

Express Scripts disclosed unauthorized persons gained access to personal and medical information of 50 million people. Express Scripts received an anonymous letter containing names of 75 or so clients showing their birth dates, social security numbers and prescriptions. These extortionists threatened to disclose personal and prescription information if the company failed to meet payment demands.

Website Security Assessment

Remember, your website is like a billboard in cyber space advertising “Look at me. Look at me.” When the visitor wants to take it step farther, make sure it’s locked down. A simple website security assessment can show you the vulnerabilities that hackers take advantage of to deface your site, access to your network and so on.

Case & Point: Virginia Health Professionals

Hackers broke into a Virginia state website used by pharmacists to track prescription drug abuse and deleted the records of 8+ million patients plus 35,548,087 prescriptions. They then defaced the site’s homepage with a ransom note demanding $10 million for the return of the records.

Social Engineering

Social Engineering is where you hack the people. By manipulating the target, you gain admission to the sensitive data you wish to access. This is excellent if you want to see if your policies and procedures are in place and where human error can play a part in a security breach. This can be done onsite or remotely and really is telling of how easy it is to be the victim of a security breach. Here, hackers were able to manipulate an email request from those legitimately working on a computer security upgrade on UCSF systems.

Case & Point: UCSF Doctor

A faculty doc at UC San Francisco fell for an email phishing scam, opening up access to personal information on some 600 patients and others to hackers. The physician replied to a scam email seeking user name and password information. The request was named to look like it had come from UCSF workers who were involved with upgrading security on UCSF’s computer system.

While this is only the tip of the iceberg when it comes to information security measures, I hope that when it comes to security one thing is clear: SECURITY

That old phrase SNAFU (“Situation Normal, All F—ked Up!”) certainly describes our choices for 2010′s top 10 security screw-ups.

Not surprisingly some of the biggest names in technology – Google, Cisco, McAfee, AT&T – are prominent on the list, either because they’re obvious hacker targets or because whenever they make a security mistake, it’s big news. Without further ado, the list:

Aurora attacks on Google: In what’s come to be called the “Aurora attacks,” Google in January acknowledges valuable intellectual property was stolen via a network break-in during that past December, intimating China to be the origin of the cyberattack. About a dozen other high-tech and industrial companies appear to have been struck in similar fashion. The Chinese government says it doesn’t know what they’re talking about. Outraged over the cyber-intrusion, Google, which had been adhering to Chinese dictates regarding search-engine censorship, says it will defy them, putting its search-engine license in China in jeopardy. But by year-end, under Chinese pressure, Google abandons its tactic of re-directing Chinese user traffic to its more liberal Hong Kong site and its renewed China license requires censorship.

China ISP takes Internet for a ride: A small Chinese ISP called IDC China Telecommunication briefly hijacked the Internet by sending out wrong routing data, which was re-transmitted by state-owned China Telecommunications, affecting service providers around the world. The event was noted in the “2010 U.S.-China Economic and Security Review” commission report presented this November to Congress, which pointed out for 18 minutes on April 8, China Telecom rerouted 15% of the Internet’s traffic through Chinese servers, affecting U.S. government and military Web sites. Widely reported, media attention raised the question of whether China was somehow testing a cyberattack capability, but China Telecom rejected those claims, calling the April traffic re-direction an accident.

McAfee’s oopsie: McAfee goofs up by issuing a faulty anti-virus update – the now-infamous McAfee DAT file 5958 – which wreaked havoc on PCs of countless McAfee customers by causing malfunctions like the Microsoft ‘Blue Screen of Death’ and creating the effect of a denial-of-service. With CEO and President Dave DeWalt apologized profusely, McAfee worked to rush out various fixes for the SNAFU it had caused by mistake, but some irate McAfee customers felt it all could have been done better.

Showtime for Cisco: Not the biggest data breach to be sure, but embarrassing for a networking company that wants the world to consider it a leader in security, having the sales to show for it — and that’s Cisco. Someone hacked into the list of attendees for the Cisco Live 2010 users’ conference, a security breach that led Cisco to notify the customers as well as a broader group with dealings with the company. Though Cisco prefers to keep mum on some details, it appears a vendor told Cisco that someone had made “an unexpected attempt to access attendee information through ciscolive2010.com,” the event site. Cisco said the breach was closed quickly, “but not before some conference listings were accessed.” The compromised information consisted of Cisco Live badge numbers, names, title, company addresses and e-mail addresses. Cisco apologized by e-mail to both attendees and those who were invited but didn’t attend.

Google sniffing: Google apologizes for wirelessly sniffing and collecting data from individuals on unencrypted Wi-Fi networks during its Street View car projects around the world to collect information for its map service. Amid outrage from privacy advocates and regulatory authorities in Europe and the U.S., Google says it was all done “mistakenly,” vowing to destroy the data it collected, as explained in a blog post from Google’s senior vice president of research and engineering, Alan Eustace. In a related case, Google acknowledged trespassing when it photographed a Pittsburgh-area house for its StreetView service and wound up paying a single dollar in damages to a couple who sued.

An iPad surprise: A group calling itself “Goatse Security” exploits a security flaw in an AT&T Web application to expose the e-mail addresses of over 100,000 iPad customer records. The FBI arrests one of the Goatse iPad hackers on felony drug charges after a home raid.

Unhealthy security: Massachusetts-based South Shore Hospital announces it’s lost about 800,000 files related to 15 years worth of health and financial information on patient, business associates and staff, but after initially saying it would contact those affected individually, changes its mind and chooses not to reach out to notify the individuals affected by the data breach. The Massachusetts Attorney General objects and says that has to be done.

Spy drama: Anna Chapman, who was rounded up by the FBI with about a dozen other Russian spies in the United States and returned to Moscow in a spy swap, poses provocatively in black lingerie in a Moscow magazine, and lands a job as an information technology innovator for a Russian bank, despite the glaring gaps in her technical knowledge that helped the FBI nab her. Not only did the FBI during surveillance routinely sniff her wireless network, but Chapman also turned her laptop over to a U.S. undercover agent for repairs. Nevertheless, Russian bank FondServisbank hired Chapman upon her return to her country “to bring innovation to its information technologies.”

Stuck with Stuxnet: First noticed in June, though it likely existed way before that, the Stuxnet worm surfaces as a highly-sophisticated piece of malware aimed at industrial Supervisory Control and Data Acquisition (SCADA) systems, primarily targeting Iranian nuclear facilities – possibly as a cyberwar weapon intended to stop suspected Iranian attempts to build a nuclear bomb. In October, Iran confirmed the worm had affected up to 30,000 systems in the country, and in November Iranian President Mahmoud Ahmadinejad went further saying that enemies of Iran had “succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,” adding, “They did a bad thing.”

Return of WikiLeaks:. A massive theft of U.S. State Department cables – more than 250,000 messages of various diplomatic correspondence related to relations with foreign nations and the shared confidences of world leaders — is published on WikiLeaks. Secretary of State Hillary Rodham Clinton calls it “an attack,” and rushes to apologize for the data breach to her counterparts around the world. Among the nuggets found in the quarter million State Department messages is one that cites an unnamed Chinese contact telling the State Department that the Chinese Politburo ordered the cyber-intrusion into Google. China says it doesn’t know what they’re talking about. China also blocks access to WikiLeaks, the Web site posting the leaked State Department cables.

Source: PCWorld.

What it is, what are the solutions

Today, banks providing internet banking facilities are looking for implementing or have already implemented two factor authentications. This has been done by either identifying risks by the banks themselves or has been mandated by the regulatory authorities. Whatever has initiated this, it is more important to understand what a two factor authentication is, what are the business requirements and how is it going to impact the customers.

What are the threats that we are trying to protect by implementing a two factor authentication solution..? phishing attack, Man-in-the-middle-attack, Password sharing etc…

Two factor authentication means that you need to have two factors of authentication (to your online banking website) involved in either the initial login process and/or in further carrying out critical transactions or just while carrying out critical transactions.

So what are the factors that are involved in authentication..?

1. What you know – password, pin number, answers to security questions, security image
2. What you have – One time password (in various ways), ATM cards
3. What you are – Bio-metric solutions

There are many organizations that use any one of the above more than once. Like for example, using user ID and password while logging in to the online banking and answering some security questions while carrying out a critical transaction and claim to be implementing two-factor authentication. Whereas, in reality it is just one factor (what you know) used multiple times.

Using a combination of any of the two above is termed as two-factor authentication. A simple example would be using your ATM card and PIN number at an ATM machine. The ATM card is something that you have and the PIN number is something that you know. So two factors are used to authenticate and carry out your requirements on the ATM machine.

The password and PIN are very commonly used parameters and implementing bio-metric solution (one that authenticates by using finger scan or retina scan etc) are very expensive and does not justify the cost. There are different methods and solutions available for implementing two factor authentications, of which OTP (One Time Password) seems to be much safer from different threats. Let us see some of those solutions.

A Grid on the ATM card – Some organizations has implemented the second factor by forming a grid which is printed onto the back of an ATM card making it convenient to the customers. The login will be using a user ID and password and the next step will be to key in a combination number based on the grid values asked in the online application. The user keys in the value and the access is permitted. This same authentication factor can be used for making an online transaction.

Disadvantages:

• The card is used in many places and since it is an ATM card, it can be given to others for swiping on purchases. The grid behind the card can be easily memorized, though most do not agree with me, I am sure that I can remember and re-collect at least one card’s grid.
• If someone gets their hand to this card through any means, they can also take a photocopy of the card, the grid and use it whenever and wherever required.

A random number generating token – There are many vendors providing tokens or key fobs (known in different names) which generates random numbers and those numbers will be valid for just about 10 seconds (one form of OTP – One Time Password). This means that a new random number using some algorithm is generated every 10 seconds. Very good!

These are wireless tokens and there is a related component (server) that sits at the organization’s environment for validating the numbers generated on the tokens. Both, the server and token work on the same algorithm and is based on time stamps. So the server can understand what will be the number in the token during a particular time.

The user logs-in by providing a user ID and password along with a randomly generated number which will be keyed into the application. The application internally validates this number and allows access.

Disadvantages:

• The burden is in procuring these tokens, distributing it to customers, maintaining, customers losing these tokens etc.
• This solution is prone to Man-in-the-browser attack, which is similar to Man-in-the-middle attack

SMS on your mobile – A much better solution is using SMS as the second factor authentication (another form of OTP – One Time Password). Though it has some draw backs. Here the user logs in into the application using a user ID and password and no second factor is applied in the initial login. The screens available using this process is limited and information such as account number is limited to last 4 digits, customer name is not available, etc it is just your masked account number, the balance and a maximum of 10 previous transactions or you could customize the first page to provide very minimal information. There will be no access to the customer profile page as well.

When the customer requires to make any profile change or make online transactions, the user will be sent a onetime PIN number SMSed to the users registered mobile number which has to be keyed in using a virtual keyboard and that authorizes the transaction/change.

This second factor can be implemented for various transactions viz, adding beneficiaries, profile change, online transfers, changes to transaction amount limits, password change on lockout, statement above 10 transactions etc. The main advantage of this solution is that the customer is not bothered to carry any additional device for this purpose, and this cannot be compromised unless the mobile phone is timely compromised to obtain the PIN and also carry out the transaction. Since unique PIN numbers are used to carry out different transactions/changes, it also mitigates the man-in-the-browser attack to a great extent.

Disadvantages:

1. SMS sent is delayed in transit.
2. SMS sent does not reach the customer due to various reasons
3. Cost implications – payment to be made to the ISP’s for sending SMS’s
4. Customer out of the country and does not have roaming facility
5. ISP’s prioritizing private SMS’s over the SMS’s from the banks

I would prefer the last option, though it lists more disadvantages than the others. Let’s try and justify the disadvantages listed. Frauds that happen and result in financial loss are global issues and I think that all relevant stakeholders should come together for a solution to work and the government should be the enforcer and the regulatory bodies should be the initiators of this cause.

If the government, the ISP, the banks and the regulatory bodies come together, it would solve the disadvantages 1, 3, and 5. Point number 2 can be left as a risk in any business, if there is nothing we can do about it and point number 4, why is a customer trying to do a critical change or transaction while the customer is out of the country..? If it is a corporate account then it is a different scenario.

Your thoughts.

I use a public transport to commute between office and home. Recently, I had one gentleman sitting next to me reading a document. I just peeped into the document and all I could instantly read is the document name and it was labeled as “Confidential”.

Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Urgency is one big enemy of security and so is labeling to a certain extent.

In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?

The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.

Do we need to restrict labeling for physical documents that reside within the organization premises only..?

For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.

In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?

I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.