Securing Internet Payment SystemsDomenico CatalanoPrincipal Sales Consultant
This document is for informational purposes. It is not a commitmentto deliver any material, code, or functionality, and should not be reliedupon in making purchasing decisions. The development, release,and timing of any features or functionality described in this documentremains at the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary information that is theexclusive property of Oracle. This document and informationcontained herein may not be disclosed, copied, reproduced ordistributed to anyone outside Oracle without prior written consent ofOracle. This document is not part of your license agreement nor canit be incorporated into any contractual agreement with Oracle or itssubsidiaries or affiliates.
Payments through the Internet• Making a remote payment card transaction through the Internet• Online-banking based credit transfer or direct debits• Payments through e-payment providers 2014 2009 190 Million online shoppers 141 Million online shoppers EUR 483 per capita EUR 601 per capita Source: Forrester ResearchTowards an integrated European market for card, internet and mobile payments
Cybercrime Threat to the Financial Sector Account Takeovers Telecommunication Network Disruption Insider Access Third Party Payment Processor Breaches Supply Chain Infiltration Securities and Market Trading Exploitation ATM Skimming and Point of Sale Schemes Mobile Banking ExploitationCompromised records by industry groupSource: Verizon – 2011 Data Breach Investigation FBI — Cyber Security: Threats to the Financial Sector
ECB Recommendation Security of Internet Payments Merchants Holder Web Site• General control and security Purchase environment.• Specific control and security measures for Internet Payment Payments.• Customer awareness, education and communication. Authorization Issuer AcquirerRecommendations for the Security of Internet Payments - ECB
ECB Recommendation Specific control and security Measures for Internet Payments• Initial customer identification, information• Strong customer authentication• Enrolment for and provision of strong authentication tools• Log-in attempts, session time-out, validity of authentication• Transaction monitoring and authorization• Protection of sensitive payment dataRecommendations for the Security of Internet Payments - ECB
Evolution of Web Access Security Layered Access Security Role Based Access Control Multi-factor Authentication Single Sign On“PSPs with no or only weak authentication procedureshas authorisedevent of a disputed transaction, provide proof that the customer cannot, in the the transaction.” – ECB, Recommendation for the Security of Internet Payments
Oracle Adaptive Access ManagerTrust, But Verify John Smith Password Device Location Data Verify ID Protected Resources Sources Security Layers Authentication is valid but is this really John Smith? Is anything suspicious about John’s access request? Can John answer a challenge if the risk is high?
Context-Aware Risk Analysis ü Analyzes risk in Real-Time Pattern Detection ü Profiles Behaviors • Dynamic behavioral profiling in real-time • In the last month has Joe used this ü Recognizes Patterns device for less than 3% of his access requests? • In the last three months have less than ü Detects Anomalies 1% of all users accessed from the country? ü Takes Preventative Actions Predictive Analysis Static Scenarios • Indicates probability a situation would • Specific scenarios that always equate to occur risk • Is the probability less than 5% that an • If a device appears to be traveling faster access request would have this the jet speed between logins the risk is combination of data values? increased.
Risk-Based Identity Verification If the risk is very high: Deny access and alert HIGH the security team If the risk is high: Send a one-time MED- password to users HIGH mobile phone RISK If the risk is medium: Ask a challenge MED- LOW Hacking for Fame question If the risk is low: Do nothing LOW RESPONSE ALLOW DENY
Data Relationships First Class Entities Transaction Data Rule A [ User, Device, IP, Etc. ] [ Dollar Amount ] [ If a purchase HTTP [ Item Quantities ] originates from a Address country not matching [ Item Numbers ] [ Street Number ] the country in the billing SQL [ Coupon Code ] address then create an [ Street Name ] [ Shipping Priority ] alert. ] [ Apt. Number ] Files Entity Instances [ City ] [ State ] Rule B JMS [ Shipping Address ] [ ZIP Code ] [ If an item has been Credit Card [ Country ] purchased more than [ First Name ] twice in the last week WS [ Last Name ] [ Billing Address ] from a single device, [ Middle Initial ] each using a different credit card then create [ Number ] an alert. ] [ Security Code ] [ Credit Card ] [ Expiration ]
Become Context Aware Prevent and Detect Anomalous Behavior Reducing Surface Area of Attacks 89% Preventable Breaches ROI Payback period Total benefits Total costs Net benefits 106% 12.1 months $6,007,641 ($2,912,513) $3,095,129Source: “Adaptive Access Management: An ROI Study” a commissioned study conducted by IDC on behalf of Oracle, 2010
BT Managed Fraud Reduction (MFR)• BT MFR is an automated fraud screening service developed by BT based on Oracle technologies.• BT MFR assesses the risk of each e- Commerce transaction.• BT MFR makes a risk assessment based on the behavior of the user.• BT MFR is complementary to existing fraud checks performed as part of payment authorization.• BT MFR is a real time service.
BT MFR: Architecture and Extensibility Payments Processor/Merchant Payments Processor/Merchant Aggregated response Oracle Service Bus OSB determines call routing OAAM Ethoca BTMA CLI GB Group URU Fraud Rules Fraud Strong Calling Line Business Engine Intelligence Authentication ID Verification Identification Data Quova Optional Services Future Services Location Detection