Page 14 - GS140501
P. 14
ChapterTitleNews



fixed. And you need to inform the users. It's really across Insider Technologies
you need to find out if you are vulnerable to this and get it

the board. Everyone needs to be communicating what
their vulnerability was and how they're going to resolve takes Sentra on the road
the issue."

Miller added that when organizations recognize anchester, England-based fraud specialist
vulnerabilities, they must take the next step of patching Insider Technologies embarked on a road-
those vulnerabilities, then revoke the associated show in the United States to market its fraud
certificates, followed by having new certificates issued M management service, Sentra. But along the
to them. Companies like Trustwave operate as certificate way, Insider Technologies Executive Vice President John
authorities for the revocation and issuance of such Bycroft is gaining insights into inefficiencies and lapses
certificates. in fraud prevention and mitigation strategies employed
in the U.S. financial services sector.
The revocation of exposed certificates and the issuing of
new ones is important because hackers could still use old The roadshow, which began April 28, 2014, and will run
certificates to perpetrate fraud. Miller called the theft of through Cartes America 2014 in Las Vegas in mid May,
encryption keys and certificates that allow for businesses has Bycroft introducing Insider Technologies and its
and individuals to authenticate themselves online the services to bank executives, ATM network operators, card
"holy grail" for fraudsters. brands, aggregators and others in New York, Chicago, Los
Angeles and San Francisco.
"If an attacker is able to access a server's SSL private key,
they can decrypt user traffic and impersonate the server – Bycroft's impression so far of anti-fraud programs in the
and it would be nearly impossible to detect them," Miller United States is that many financial institutions (FIs)
wrote. He said stolen certificates are popular for use in are fighting fraud in "the rearview mirror." "They are
man-in-the-middle attacks perpetrated by fraudsters. processing the fraud reports overnight or the following
Using stolen credentials, such as user passwords, day, or two days later," he said. "We spoke to one U.S.
they pose as consumers or network administrators for bank who has a part-time staff come in on a Thursday
nefarious purposes. and look at last week's suspicious activities."

Silver lining playbook Bycroft noted a report from a U.S. fraud investigator said
only 71 percent of FIs employ fraud management systems.
The Heartbleed bug has caused much angst for a financial "Does that mean that 29 percent of U.S. banks do not
services industry and economy suffering from massive have fraud management systems?" he said, an especially
and often devastating data breaches, such as the one disconcerting notion given the prevalence and escalation
that hit Target Stores Inc. over the 2013 holiday season. of fraud attacks recently against retailers and others in
But Abby Ross, Media Relations Manager at Trustwave, the United States. He stated, "If there are any banks in
sees a silver lining to the Heartbleed disclosure in that the western world that do not have a fraud management
it provides businesses an opportunity to reevaluate their system, we find that absolutely incredible."
security best practices and procedures.
Bycroft does not attribute pervasive weaknesses in
"It really gives users a chance to start fresh," she said. This fraudmanagement to incompetence, but rather to the
involves resetting passwords with complex combinations pressures brought to bear on FIs today. "When we talk to
of numbers, letters and symbols, and taking advantage of American banking executives, I do think they are being
two-factor authentication to make communications more pulled in many different directions," he said, adding that
secure. the push for them to adopt the Europay/MasterCard/Visa
(EMV) chip card standard is chief among them.
Heartbleed can also be used as a litmus test service
providers can employ to determine the level of security Fighting fraud with big data
of the vendors they utilize. Miller said, "These types
of security events – widespread, high-impact security Insider Technologies is not a new kid on the fraud
events – give you an idea of how well you can trust other fighting block. Bycroft said the company has been
organizations by how well they communicate, how they building its fraud management capabilities in Europe
were affected, what they've done to resolve it and the over the last 25 years. It boasts the British government, the
steps they took to go forward." British and German armies, and the U.K.'s Government
Communications Headquarters (the equivalent of the U.S.
Heartbleed can also be used by merchant service providers National Security Agency) as clients.
to look inward. "You can judge your own security posture
by how prepared you were to respond to it and tactics you Since the 1990s, Insider Technologies has provided anti-
used if you had been compromised," Miller added. fraud services to U.K. banks, including the Bank of
England, Barclays, Lloyd's of London and the Royal Bank
14
   9   10   11   12   13   14   15   16   17   18   19