Fine

Tuned

Machines

Information Security in the Debt Collections Industry

Securing Data Transmitted to External Partners

March 13th, 2010

Fine

Tuned

Machines XYZ, a Debt Collections Company

• The market leader Debt Collections firm with over $800 million in Market Capital

• Employs Debt Collections in many areas, including bankruptcy and credit debt, auto recovery, municipal accounts

• Purchases and manages debt for major clients such as Bank of America, Chase, HSBC, Toyota and GMAC

• Complies with Federal Trade Commission regulations:– Fair Credit Reporting Act– Fair Debt Collection Practices Act

3/13/2010 2MSIT 458 - FTM Group

Fine

Tuned

Machines XYZ Brand

XYZ is a secured and trusted partner of many Banks and Finance Companies

• Strives to build relationships with the “debt sellers”• Make debt sales “pain free” for the Sellers• Ensure Data Security

3/13/2010 3MSIT 458 - FTM Group

• Employ scoring model on potential debt purchase to negotiate with the Sellers

• To achieve the goal of collecting on debts, XYZ is “in the business of purchasing information”

Fine

Tuned

Machines Business Problem

3/13/2010 MSIT 458 - FTM Group 4

XYZ is forced to use various data transmission and receipt methods set by some external partners to maintain strong relationships.

Because of this, the XYZ must address each data transmission and receipt method in their security policy and focus on internal efforts to protect their data.

Fine

Tuned

Machines Data Flow for Debt Collections

3/13/2010 MSIT 458 - FTM Group 5

Fine

Tuned

Machines Data Transmission Methods

• Email• FTP• HTTP / Secured Website

3/13/2010 MSIT 458 - FTM Group 6

Fine

Tuned

Machines Business Process: Email

3/13/2010 MSIT 458 - FTM Group 7

Incoming Records from Debt Sellers

Stored Locally: Hard drives and Servers

NameSSN

Debt Acct #Debt AmountsPhone Number

Address

Fine

Tuned

Machines Email Transmission: External

3/13/2010 MSIT 458 - FTM Group 8

To Lawyers/ Courts To Third Parties

Fine

Tuned

Machines Email Transmission: Types of Threats

3/13/2010 MSIT 458 - FTM Group 9

Fine

Tuned

Machines Data Transmission Methods

• Email• FTP• HTTP / Secured Website

3/13/2010 MSIT 458 - FTM Group 10

Fine

Tuned

Machines FTP Channel: Purpose & Usage

What is FTP?FTP: file transfer protocol (application layer) based on a client/server

architecture that is used to transfer (download/upload) files over network (public/private).

Company Profile: FTP> Usage (internal & external): frequently-heavily > Type of data: large files with highly sensitive PII> User community: wide diversity (business/technical) ~ 40 users> Landscape: software/hardware/network> Top concerns: Security, Automation, Intuitiveness, & Reliability

3/13/2010 MSIT 458 - FTM Group 11

Fine

Tuned

Machines FTP Channel: Current Challenges

• Pressing concern:–FTP is inherently not secure

• Common Attacks –Injection Attack–Bounce Attack–Brute Force Attack–Steal Attack

3/13/2010 MSIT 458 - FTM Group 12

Name: Troj/JSRedir-RSpreads: Web browsingPrevalence: HighDetected: 04/30/2009Category: Virus/spywareType: Trojan

Fine

Tuned

Machines Data Transmission Methods

• Email• FTP• HTTP / Secured Website

3/13/2010 MSIT 458 - FTM Group 13

Fine

Tuned

Machines Forms of External Communication• PACER

– Use website to upload court documents

• Debt Sellers– Use secured websites to download/upload information in

various formats

• Law Firms– Use of Automated Collection Controls document

management outsourcing

3/13/2010 MSIT 458 - FTM Group 14

Fine

Tuned

Machines Hypertext Transfer Protocol (HTTPS)

• Used to create secure communication over an unsecure network.

• Not a new protocol per se, but a combination of HTTP over Transport Layer Security (TLS) over port 443.

• TLS uses RSA public key encryption in 1024 or 2048 bit key lengths.

• The client downloads a signed public key certificate with is authorized by a certificate authority.

3/13/2010 MSIT 458 - FTM Group 15

Fine

Tuned

Machines Possible Attack Vectors

• JavaScript (PACER)– Execution of malicious code that could exploit a

security risk• Web Browsers (PACER, Debt Sellers, Law Firms)– Malicious plug-ins can exploit user’s machines.

• Operating Systems (PACER, Debt Sellers, Law Firms)– Although this attack’s magnitude has been

mitigated over the years, patch management and application is still an important security policy

3/13/2010 MSIT 458 - FTM Group 16

Fine

Tuned

Machines HTTPS attacks are possible!

• In September of 2009 a Microsoft API was exploited to create forged CA certificates.

• User accepted forged certificate automatically.• This attack affected Internet Explorer, Safari,

and Chrome before patch.• Author of SSLSNIFF software demonstrated

this attack!– His PayPal account was revoked after demonstrating the

attack to eBay. Jerks!

3/13/2010 MSIT 458 - FTM Group 17

Fine

Tuned

Machines

Consequences and Costs

3/13/2010 MSIT 458 - FTM Group 18

Fine

Tuned

Machines Legal Implications and Costs

3/13/2010 MSIT 458 - FTM Group 19

Major Fines are levied by the FTC for ineffective controls:

Damaged relationships with Sellers could be catastrophic to XYZ (Brand Equity)

• FTC fines Rental Research Services $500,000 for “unfair acts or practices” in violation of FTC Acts.

• FTC fines ChoicePoint for data breaches ranging from $275,000 to $500,000 on separate occasions

Fine

Tuned

Machines Data Security Costs

• According to a study by the Ponemon Institute, “cost of a data breach rose for the fifth year to $204 per compromised record”

3/13/2010 MSIT 458 - FTM Group 20

• Data Breach expenses are not occurring in companies as often as in the past

• In the same study, 42% of companies surveyed stated the biggest threat was “mistakes made by third party vendors and company partners”

• Largest breach: over 100,000 records = $31 million cost to the breached firm

Fine

Tuned

Machines

Recommendation for XYZ and Data Security

3/13/2010 MSIT 458 - FTM Group 21

SLOW

STOP GO

Fine

Tuned

Machines Unified Solution

• Policies

• Firewall Appliance

–Proxy capabilities

–IDS/IDP

–Anti-virus scanning

3/13/2010 MSIT 458 - FTM Group 22

Email Https FTP

Email Https FTP

Email Https FTP

Email Https FTP

Fine

Tuned

Machines Unified Solution

• Host Level Antivirus

• Client Software

• Specified User Accts

3/13/2010 MSIT 458 - FTM Group 23

Email Https FTP

Email Https FTP

Email Https FTP

Fine

Tuned

Machines Solution Cost Analysis

3/13/2010 MSIT 458 - FTM Group 24

Estimated Users: 400Total Sites: 3Grand Total: $28,700

Fine

Tuned

Machines

3/13/2010 MSIT 458 - FTM Group 25

QUESTIONS