Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Slides:



Advertisements
Similar presentations
FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Advertisements

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Red Flag Rules: What they are? & What you need to do
My Name is Todd Davis My Social Security # is
Springfield Technical Community College Security Awareness Training.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
1 ID Management in Financial Services – May 2005 Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a “Red Flag”: Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag”
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Office of Personnel Management (OPM) Data Breach A briefing for use by DON commanders and supervisory staff
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
2015 ANNUAL TRAINING By: Denise Goff
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.
BUSINESS B1 Information Security.
Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.
Red Flag Rules Training Class SD 428. Red Flag Rules SD 428 The Red Flag Rules course (SD 428) was implemented at UTSA to meet the requirements and guidelines.
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
AUTHENTICATION IN AN INTERNET ENVIRONMENT Dominick E. Nigro NCUA Information Systems Officer.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Prevention of Identity Theft. Why now, Why us? Federal Trade Commission (FTC) regulations for Identity Theft which may not apply, but it is good business.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
1 Identity Theft Prevention and the Red Flag Rules.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
A Bank’s Challenge to Protect Customers Sharon Vance.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
Protection of CONSUMER information
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
How to Protect Yourself from ID Theft and Social Engineering
Protecting Personal Information Guidance for Business.
Red Flags Rule An Introduction County College of Morris
DATA BREACHES & PRIVACY Christine M
Identity Theft Prevention Program Training
Clemson University Red Flags Rule Training
Neopay Practical Guides #2 PSD2 (Should I be worried?)
FACT Act Training for Staff Identity Theft “Red Flags”
Getting the Green Light on the Red Flags Rule
Presentation transcript:

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA

Consumer Authentication in e-Banking e-Banking

Outline  Purpose  Background  Risk Assessment and Management –Risk-based assessment  Customer Awareness  Conclusion

Purpose  The need for additional security measures to reliably authenticate consumer remotely accessing their financial institution’s Internet banking system.  Updates and supplements the 2001 Guidance entitled Authentication in an Electronic Banking Environment.

Authentication in an Electronic Banking Environment

Background  Security Acts –Gramm-Leach-Bliley Act (GLBA) Title V requirement. –The Fair and Accurate Credit Reporting Act of 2003 (FACTA)  Identity Theft –One of the fastest growing types of consumer fraud –Account takeover was identified as the fastest growing type of identify theft. –Account takeover represents a fundamental compromise of the security protecting consumers’ primary asset account maintained at insured depository institutions.

What is identity theft? Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities. Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities.

Hacker’s Tools  Phishing  Spyware  Malware  Site Spoofing  Trojan Horse  Social Engineering

Identity Theft Statistics  According to FTC, During 2003, 10 million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion  According to Gartner 2004, 2 million U.S. adult Internet users experienced account takeover during the 12 months ending April 2004.

Continued -  The Anti-Phishing Working Group noted a significant increase in phishing activity over the past six months. There were 12,845 new unique phishing messages reported to the APWG in January 2005 alone.

FICUs e-Banking Services Increase (Growth since 2000)  More than half (58%) of FICUs have a website. This has Increase d by 39.5%.  Home banking via websites have grown significantly by 78.2%.  Number of interactive and transactional websites have grown by 93.4%.  Electronic loan payment has increased by 121%. Share draft ordering has grown by 83.2%.  Number of members using the transactional worldwide website has increased by 230% (to 18.3 Million)  In 2004, among credit unions, the number of transactional websites grew by 10%, to 3,673, while the number of members using transactional sites grew 21% (to 18.3 million).

Continued -  According to NAFCU, 48% FICUs responded that their Credit unions incurred an increased level of identity theft last year relative to  With the fast growth of e-banking service among FICUs and as scam artists become more sophisticated, identity theft has become major risk for those FICUs offering e-banking services.

Continued -  In a 2005 study, 14 percent of online consumers reported that they would stop using online banking due to concerns about Phishing.

Risk-based Security Program  Program should be Enterprise-wide  Perform a risk assessment oConsideration of “controls to authenticate” those seeking access to customer information oTake risk-based and “layered” approach  As the risk to sensitive customer information increases, the compensating controls contained within the institution’s security program must also increase

Enterprise-wide Authentication  Adherence to corporate standards and architecture  Integration within overall information security framework  Within lines of business  Central authority for oversight and risk monitoring

Risk Assessment  Type of the customer  Institution’s transactional capabilities  Sensitivity and value of the stored information  Ease of using the method  Size and volume of transactions

Security Measures  Risks can be measured by the likelihood of harm and the impact of an occurrence.  With respect to Internet transaction processing, three primary risks exist: –risk of monetary losses –potential loss of future business, and, –risk of compromising confidential customer information.

Continued -  Implementation of security measures –Risk matrix o illustrate the type and likelihood of risk on one hand and corresponding risk mitigation techniques on the other.

Risk Matrix – illustration only

Three factors of Authentication methodologies  Something the user knows (password) (password)  Something the user possesses (Smart card)  Something the user is (biometric characteristic, such as fingerprint or retinal pattern)

Authentication Tools  Password  PINs  Digital certification using a PKI  Physical devices –Smart card –Tokens  Database comparison  Biometric identifiers

Conclusion  To comply with GLBA, FACTA. conduct a risk assessment to identify the types and level of risks associated with e-banking application  ID and password as the only control mechanism is no longer adequate for controlling remote access to sensitive info.  Multi-factor authentication or other layered security is recommended to mitigate those risks.

Part 748 – Appendix B Response program Part 748 – Appendix B Response program

Part 748 – Appendix B Response Program

Background  Section 501(b) GLBA  Part 748 – Appendix A  Increasing Number of Security Breaches  Revise Part 748 and Add Appendix B – Response Program

Response Program  Take preventative measures to safeguard member information –Place access control –Conduct employee background check  Implement a risk-based response program –Appropriate to the size and complexity of CU –Appropriate to the nature and scope of the activities –Service provider o Address incidents o Notification of the CU

Components of Response Program  Assessment  Notification of Primary Regulator  Notification of Law enforcement Authorities  Proactive Measures to Contain /Control Incident –Monitoring, freezing, or close affected accounts  Member Notification

Content of Member Notice  Description –The incident in general terms –Type of member info was the subject of unauthorized access or use –What CU has done to protect the member’s info –Telephone number for further assistance –Member should remain vigilant over the next months –Promptly report incidents of suspected ID theft to the CU

Continued -  Review Account Statements and Report Suspicious Activity To The CU  Notify Credit Bureaus - Consumer Report  Obtain Credit Reports – Credit Report Agency  Get Federal Trade Commission Assistance

Changes from Proposal  Standard for notice to member  More risk based; less prescriptive  Notice to regulator – only if breach involves sensitive member information

Continued -  Notice to regulators – delay to coordinate with law enforcement authorities  Flagging, monitoring, securing accounts – left to credit union’s assessment of risk  Content of notice – likewise risk based  Fraud alerts – less prescriptive – discuss with member but not mandatory

NCUA Expectations for Compliance  Potential Questionnaire: –Incorporated into Overall Security Program –Escalation Process / Incident Response –Review of Notices – Attorney Review? –Enterprise Wide Approach –Reporting to Senior Management –Member Outreach / Awareness Programs –Employee Training Programs

Part 748 – Appendix B Response Program

Question & Answer