LLOYDS BANK CARDNET VIEW WEBINAR

Cyber Security: Safeguarding Online Sales 10am, Tuesday 14th July, 2015

I    

2

PRESENTATION BY Phil Thomas Head of Product, Lloyds Bank Cardnet

LLOYDS BANK CARDNET VIEW Cyber Security: Safeguarding Online Sales

INTRODUCTION BY Aidene Walsh Managing Director, Lloyds Bank Cardnet

FACILITATED BY Juliet Mann Journalist and Presenter

SPECIAL GUEST Dr. Branden R. Williams CTO, Cyber Security Solutions, First Data

SPECIAL GUEST Paul Young Director, Cyber Risk Services, Deloitte

CONTEXT CURRENT TRENDS IN CYBER CRIME

3

6% Rise in total fraud losses on

UK cards in 2014

CARD FRAUD

4

35m Card payments made every day in

UK in 2014

14% Rise in e-commerce fraud in 2014

Sources:  UK  Card  Associa2on,  Financial  Fraud  UK  

I    

5

Organised Criminals

•  Organised networks of criminals, increasingly capable •  ‘Foot-soldiers’ non-violent but technically capable •  Motives: financial and sometimes political

•  Typically young, socially isolated, intelligent, and still growing their knowledge and skills •  Motives: fun / challenge, moving to financial

•  Highly capable teams with large amounts of funding •  Some highly advanced monitoring and attack methods •  Motives: geo-political

Hacktivists

Nation State / Spies

•  Individuals or groups engaging in disruptive or damaging attacks •  Motives: political or ‘ethical’ in their view

Script-kiddies

WHO ARE THE ATTACKERS?

VICTIMS OF CYBER ATTACKS

6

USA Target

Staples

The Home Depot

Neiman Marcus

MULTINATIONAL EA Games

JP Morgan

Sony Pictures

Mandarin Oriental Hotel Group

Ebay

YouTube

7m UK cards compromised by data breaches over last three years

SIZE & SCOPE OF CYBER CRIME

7

93% of large UK businesses have

suffered information security breach

£1.46m Average cost of security breach for companies with more than 500 employees

£27bn Cost of cyber crime to UK economy each year

Sources:  Na2onal  Security  Strategy,  UK  Department  of  Business,  Innova2on  &  Skills,  Worldpay  

8

19 Dec 2013 – 10 Jan 2014. Target make multiple public announcements. Intense and prolific media coverage exposed the data breach

Financial costs of managing breach $248m. Further legal

costs and fines

May 2014. CEO resigns. Brand damaged, reduced

operating margin and devalued assets

98m customers impacted

40m payment card details stolen 12 Dec 2013.

DoJ notifies Target of suspicious activity on payment cards

12 Nov 2013. Fazio system used to gain access to Target billing and invoicing system

‘RAM scraping malware’ deployed on Target Systems, including POS systems that record payment card transactions

Internal security warnings about malware were ignored

Internal security warnings about data loss were ignored

Malware installed on Fazio Mechanical Services system

(HVAC supplier to Target)

Stolen customer card and personal data extracted and transmitted to external servers

CASE STUDY TARGET BREACH

UK CASE STUDIES

9

10

COMMON THREATS

Infected malware Hacking into networks over WiFi Hacking into servers

POINT-OF-SALE ATTACKS

11

PCI DSS Requirements:

•  maintaining firewalls •  protecting stored data •  encrypting transmission of data •  updating anti-virus software •  secure systems and applications •  need-to-know restrictions on data access •  unique IDs •  regular monitoring and testing •  maintaining information security policy  

REGULATIONS

12

NEW PAYMENT METHODS IMPLICATIONS

14

Contactless

Mobile

Cloud computing

Internet of Things

Apple Pay

Virtual currencies

NEW PAYMENT METHODS & TECHNOLOGIES

15

•  Near Field Communication – NFC and in-app purchase •  Hold iPhone near contactless reader with finger on Touch ID •  Credit card data stored in “Passbook” •  “Tokenisation” – Apple doesn’t save transaction information or actual

card numbers

APPLE PAY

16

•  Banks will be charged, not merchants or customers

•  Current UK regulations

will apply

•  Lloyds Bank cards to be included later in 2015

APPLE PAY IN UK o  Apple o  KFC o  Marks & Spencer o  Pret a Manger o  Boots o  Liberty o  McDonald’s o  Spar o  BP o  Lidl o  Costa Coffee o  Post Office o  Subway o  Transport for London

17

•  Expanding Visa Token Service

beyond Apple

PROTECTING NEW PAYMENT METHODS

•  Spending $20m on authentication through combined biometrics

18

•  Facial recognition •  Voice recognition •  Fingerprint recognition •  Heartbeat monitoring

BIOMETRICS

19

REGULATION •  PSD2

Ø  Tackling fragmentation Ø  Ironing out cross-border

inconsistencies Ø  Strong customer

authentication

REGULATION AND LIABILITY

LIABILITY •  Liability for counterfeit

transactions shifts from issuer to merchant

•  Visa says doesn’t apply to lost/stolen cards

COMBATTING CYBER ATTACKS

21

Aware of the latest risks

Prepare to be robust

Respond quickly & effectively

The chances are that most organisations will suffer a cyber attack at some point

Organisations should seek to reduce the net impact and the time it takes to

recover

It may not be possible to be completely cyber attack-proof, but organisations can build the

next best thing: cyber resilience

 Does your organisation know what information is most valuable?

 In case of suspicious events, do you have a clear procedure to follow?

 Do you know who is monitoring your security, and do they give you threat information?

 What impacts would you fear most if this happened to your organisation?

 Is staff cyber security awareness and training being taken seriously?

?

WHAT CAN YOU DO ABOUT THE THREAT?

????

22

Attack & Response Preparedness •  Attack simulation and security testing •  Crisis management and incident response exercises

•  Cyber risk governance, cyber resilience •  Cyber impact and risk appetite

•  Infrastructure and application security •  Identity & access management

People and Behaviour

Technology

•  Security culture & awareness •  Security organisation design

Board-Level Recognition

Transformation & Change •  Security architecture •  Security programmes

Managed Services •  Managed operation •  Cyber threat intelligence

INDUSTRY RESPONSE

CHANGING  CAPITAL…  

LLOYDS BANK CARDNET VIEW Cyber Security: Safeguarding Online Sales

Q&A Submit your questions via

the webinar player site now

PRESENTATION BY Phil Thomas Head of Product, Lloyds Bank Cardnet

FACILITATED BY Juliet Mann Journalist and Presenter

SPECIAL GUEST Paul Young Director, Cyber Risk Services, Deloitte

23