pci forensic investigations

Online fraud is still a big problem and as long as the number of online shoppers continues to grow, so will the

number of fraud cases. According to the European Central Bank there were 7.9 million cases of fraud with a value

of 1.16 billion euros in 2011 of which 56% took place in e-commerce.

European Merchant Services organizes the EMS RISK EVENT annually for retailers who are active in e-commerce

and multichannel. It is an excellent opportunity to increase your knowledge in the field of online fraud, risk

management and advanced fraud prevention and detection tools. We help you to stay ahead of online fraudsters

and to protect your online business by sharing the knowledge and experience of our fraud and risk experts, our

customers and our partners.

Do you want to attend next year’s EMS RISK EVENT?

Please contact the EMS Marketing Department at T +31 20 660 3054 or send an email to

[email protected]. For more information visit www.emscard.com/riskevent

Follow us on:

mailto:[email protected]

http://www.emscard.com/riskevent

https://twitter.com/emscard

https://twitter.com/emscard

http://www.linkedin.com/company/european-merchant-services

http://www.linkedin.com/company/european-merchant-services

PID#

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

PCI Forensic Investigations

Presented by Ben Van Erck

EMEA RISK team

4Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

4

PROPRIETARY STATEMENT

© 2013 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services

are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries.

All other trademarks and service marks are the property of their respective owners.

This document and any attached materials are the sole property

of Verizon and are not to be used by you other than to evaluate Verizon’s

service.

This document and any attached materials are not to be disseminated,

distributed, or otherwise conveyed throughout your organization to

employees without a need for this information or to any third parties

without the express written permission of Verizon.


5

INTRODUCTION


6

RISK Team: More than an acronym

RESEARCH

INVESTIGATIONS

SOLUTIONS

KNOWLEDGE


7

OUR TEAM•Diverse investigator backgrounds

•Licensed private investigators

•Truly global coverage — 24x7

-Investigators based in 16 countries

-Forensic labs and evidence storage facilities

in America, Europe, and Asia-Pacific

•No subcontractors

•Global PFI Firm

OUR SERVICES•IT investigative support (on-demand)

•Guaranteed response (retainer-based)

•eDiscovery and litigation support

•PCI forensic investigations

•Electronic data recovery/destruction

•Incident response training

•Mock-incident exercises

•Corporate IR program development

VERIZON RISK TEAM HAS INVESTIGATED 8 OUT OF 10

OF THE WORLD’S LARGEST DATA BREACHES

(http://www.idtheftcenter.com/)

RISK TEAM OVERVIEW

http://www.idtheftcenter.com


8

DATA BREACHES


9


10

The DBIR analyzes forensic evidence to

uncover how sensitive data is stolen from

organizations, who’s doing it, why they’re

doing it, and what can be done to prevent it.


11

VARIED MOTIVATIONS VARIED TACTICS

• Aim is to maximize disruption

and embarrass victims from

both public and private sector.

• Use very basic methods and are

opportunistic.

• Rely on sheer numbers.

• Motivated by financial gain, so

will take any data that might

have financial value.

• More calculated and complex in

how they chose their targets.

• Criminals are now trading

information for cash.

• Often state-sponsored.

• Driven to get exactly what they

want, from intellectual property

to insider information.

• Often state-sponsored, use most

sophisticated tools to commit

most targeted attacks.

• Tend to be relentless.

WHO ARE THE ATTACKERS?


12

THIS YEAR’S BIGGEST THREATS?

SAME AS LAST YEAR’S.

WHAT TO WORRY ABOUT

• Very few surprises, mostly variations on theme.

• 75% of breaches were driven by financial motives.

• 95% of espionage relied on

plain old phishing.

• Well-established threats

shouldn’t be ignored.


13

• The weak links haven’t changed much:

–Desktops 25%

–File servers 22%

–Laptops 22%

• Unapproved hardware accounts

for 43% of misuse cases.

WHAT DO ATTACKERS TARGET?STILL THE TRADITIONAL ASSETS.

WHAT TO WORRY ABOUT


Difficulty of initial compromise

14


15

• In 84% of cases, initial compromise took hours or less.

WHAT TO WORRY ABOUT

QUICK TO COMPROMISE


16

SLOW TO DISCOVERY

• 66% of breaches went undiscovered for months…

… Or even years.

QUICK TO COMPROMISE

WHAT TO WORRY ABOUT


Discovery methods

17

RECOMMENDATIONS


19

ADDITIONAL INFORMATION

• Download DBIR – www.verizonenterprise.com/dbir

• Learn about VERIS - www.veriscommunity.net and http://github.com/vz-risk/veris

• Explore the VERIS Community Database:

http://public.tableausoftware.com/views/vcdb/Overview and learn more about this

data http://veriscommunity.net/doku.php?id=public

• Ask a question – [email protected]

• Read our blog - http://www.verizonenterprise.com/security/blog/

• Follow on Twitter - @vzdbir and hashtag #dbir


20

PCI FORENSIC INVESTIGATIONS


21

WHAT ARE WE TRYING TO ACHIEVE?

GOALS OF A PFI INVESTIGATION

1) Mobilize and respond to the potential security breach and assist in efforts to mitigate

further damage;

2) Investigate the security breach and identify, to the extent possible, the source of the

security breach;

3) Ascertain, to the extent possible, any compromised cardholder data and provide at-

risk information to the respective owners to minimize any impact to the consumer

and customer;

4) Identify, to the extent possible, any other details of evidentiary value relative to the

security breach; and,

5) Transition, if and only as directed by the customer, any evidence and findings to law

enforcement.


22

WHAT IS EXPECTED OF YOU?

VICTIM RESPONSIBILITIES

1) Retaining evidence of compromise;

2) Hire a PFI; (list of approved PFI’s on PCI SSC website)

3) Cooperate with the PFI, acquirer, and/or Participating Payment Brand;

4) Allowing the PFI to drive the PFI Investigation;

5) Participating in discussions with affected Participating Payment Brands and the PFI;

6) Resolving any security weaknesses identified;

7) Notifying acquirers and Participating Payment Brands; and,

8) Notifying and working with law enforcement as applicable.


23

KEY DEADLINES

VICTIM RESPONSIBILITIES

Notification of the brands involved:

- “Immediately”

After notification that PFI is required:

-Identify PFI within five (5) business days;

-Ensure that the PFI is engaged within ten (10) business days; and

-The PFI must be onsite within five (5) business.

Reporting:

-Preliminary Incident Response Report - five (5) business days;

-Final Incident Report - ten (10) business days;

-PIN Security Requirements Report - ten (10) business days;

-Monthly Status Reports


24

DBIR: www.verizon.com/enterprise/databreach

VERIS: www.veriscommunity.net/

http://www.verizon.com/enterprise/databreach

pci forensic investigations

Economy & Finance