GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Fraud, data breach concerns drive EMV support


Industry Update

Visa, MC allow merchant surcharging

CAPP provides FI security snapshot

ETA promotes Debit AID to assist EMV

NFC Forum SIGs map tech future

Square wins with Verizon, Angie's List

Federal court ruling may impact CFPB


International charity with roots at home

Acquiring Kilimanjaro, an ISO adventure

Mobile marketing and remote mobile payments transform holiday shopping in 2012

Stephen Kiene
First Annapolis Consulting

Research Rundown

Meet The Expert: Biff Matthews

Selling Prepaid

Prepaid in Brief

Plastic Jungle pilots retail gift card exchange

Researcher makes argument against prepaid regulation


Surveying the financial landscape in 2013

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Lessons from that first call

Jeff Fortney
Clearent LLC

Confidentiality: A refresher on ISO, MLS obligations

Adam Atlas
Attorney at Law

Sustaining the mPOS (r)evolution

Venkat Kalyanaraman and Sunil Rongala
MRL Posnet Private Ltd.

Small businesses need big data, too

Rick Berry
ABC Mobile Pay Inc.

Company Profile

Super G Funding LLC

New Products

Interactive multilane checkout

iSC Touch 480
Company: Ingenico Inc.

Advanced breach protection

Voltage Secure Stateless Tokenization
Voltage Security Inc.


Take one invigorating step


GS 10 Years Ago

Readers Speak

2013 events calendar

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 11, 2013  •  Issue 13:02:01

previous next

CAPP provides FI security snapshot

Against the backdrop of persistent and pernicious cyber threats targeting the financial services industry, the Financial Services Information Sharing and Analysis Center (FS-ISAC) released results of a simulated test of security protections and protocols employed by financial institutions (FIs) against attacks. The FS-ISAC said the 2012 Cyber Attack against Payment Processes (CAPP) exercise showed FIs react and adapt quickly to new threats, and that most firms employ multilayered security to counter threats, especially distributed denial of service (DDoS) attacks.

Four hundred and forty-six financial institutions participated in the CAPP test, in which simulated attacks included online bank account takeovers, DDoS attacks, altered automated clearing house files, fraudulent wire transfer requests and the loss/theft of personally identifiable customer information. The tabletop exercise, during which no actual attempts were made to penetrate FIs' systems, was conducted over two three-day periods in the fall of 2012.

Once the tests were completed, the FS-ISAC compiled the results and distributed them to its members. The organization stressed that the participating FIs took the tests anonymously, and that the results were aggregated to show overall security trends and not to single out any individual institution's security strengths or weaknesses. The FS-ISAC said the goal of the exercise, which has been administered annually over the last three years, is to help FIs evaluate their own security practices and facilitate the sharing of knowledge and the development of security best practices industrywide.

Real world, but virtual

Charles Bretz, FS-ISAC Director of Payment Risk, said CAPP tests are facilitated via WebEx online conferences. On each day of the exercise, FIs' incident response teams are sent links to recorded WebEx sessions. The sessions then present simulations of conference calls between response teams and their FIs that concern cyber attacks.

Each day of the test, response teams are asked 15 to 20 multiple choice questions, Bretz said. The answers supplied by the teams are entered into an online survey tool. The answers are tabulated and the FS-ISAC publishes the results confidentially among its members about a month later, at which point FIs can compare their attack responses against the anonymous, aggregated responses of their peers.

Bretz said, "Let's say a team self-graded and said, 'Boy, we really screwed up this. We're not ready in this area.' Well, they realize that and take corrective action because it was done in a safe, confidential environment."

To test FIs' capacity to respond to ever more sophisticated attacks, the FS-ISAC threw them "curveballs" in the form of complex attacks, where response teams would have to deal with multiple threats at the same time, such as a simultaneous account takeover and DDoS attack. "The threats that we put in the exercise are based on the current threats that have been anonymously reported by our members," Bretz said. "So these are real-world threats. These are not contrived hypotheticals. These are the threats the industry is facing. And they change every year."

FIs, ready or not?

The cyber security stakes seem only to be growing. On Jan. 22, 2013, BankInfoSecurity reported that Muslim "hactivist" group, the Izz ad-Din al-Qassam Cyber Fighters, recently targeted PNC Financial Services Group, Fifth Third Bank and JPMorgan Chase & Co. with DDoS attacks. The report said the hactivists have been inundating U.S. banks with cyber attacks since September 2012.

A December 2012 report conducted by the Ponemon Institute and sponsored by Corero Network Security suggested FIs are not up to the task, as they lack effective security technology to deal with new threats. The report, A Study of Retail Banks & DDoS Attacks, said information technology survey respondents reported their FIs still rely on traditional technology, with 35 percent of respondents specifying firewalls.

"The belief that traditional perimeter security technologies such as firewalls are able to protect against today's DDoS attacks is lulling not only financial institutions but organizations across every sector into a false sense of security," said Corero President Marty Meyer,. "Many organizations assume traditional firewalls can provide protection against DDoS and Zero-Day exploits at the perimeter, yet this is not what they were designed to do and therefore attacks are still getting through."

However, the FS-ISAC has a different view. "FS-ISAC members are reporting that they have implemented defense in depth," Bretz said. "They are not relying on a single technique or just a few techniques, but multiple risk mitigation processes. This layered defense approach may involve traditional security techniques as well as advanced techniques. The effectiveness of this approach is not in any single method but in the synergy between these methods."

FS-ISAC members are also reporting that they are adding additional security layers in response to new threat information being shared among the members, according to Bretz.

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.