Trusteer Positioning
ECB/EBA Recommendations for
Security of Internet Payments:
© 2015 IBM Corporation
Monday, December 07...
Agenda
General information and milestones
– Things to note
The Guidelines
The layered security approach
How, why, and whic...
August 2015
Guidelines define
minimum requirements
2017 / 2018
Additional guidelines from
the EBA are expected once
the up...
Things to Note
The recommendations constitute a “living
document”
The recommendations are descriptive (vs.
prescriptive)
T...
Final guidelines on the Security Of Internet Payments
As per document issued in Dec 2014
R2
• Risk Assessment
R3
• Inciden...
The Guiding Principles
Fraud prevention layers, listed in order of effectiveness
Device Security
• Ensuring the accessing ...
Existing security controls
Do they impact your business?
7© 2015 IBM Corporation
Account &Transaction
Restrictions
Intrusi...
At a glance
ECB Recommendations mapped to Trusteer’s solutions (I)
Recommendation 2: Risk Assessment
KC 2.1 (Risk Assessme...
At a glance
ECB Recommendations mapped to Trusteer’s solutions (II)
Recommendation 7: Strong customer authentication
AQ 7....
At a glance
ECB Recommendations mapped to Trusteer’s solutions (III)
Recommendation 8: Enrolment for and provision of auth...
At a glance
ECB Recommendations mapped to Trusteer’s solutions (IV)
Recommendation 10: Transaction monitoring
Overview (Tr...
At a glance
ECB Recommendations mapped to Trusteer’s solutions (V)
Recommendation 12: Customer education and communication...
Trusteer’s Solution Overview
© 2015 IBM Corporation
Online Banking
Malware attacks
against the website
Account
takeover
Detects malware
targeting OLB website
Trusteer Pinpoin...
Trusteer Pinpoint Criminal Detection
Product Highlights
Trusteer
Rapport
Trusteer Pinpoint
Malware Detection
Trusteer Pinp...
Trusteer Pinpoint Malware Detection
Product Highlights
Trusteer Pinpoint
Criminal Detection
Trusteer
Rapport
Trusteer Pinp...
Trusteer Mobile Solutions
Product Highlights
Trusteer Pinpoint
Criminal Detection
Trusteer Pinpoint
Malware Detection
Trus...
Trusteer Rapport
Product Highlights
Pinpoint Criminal
Detection
Pinpoint Malware
Detection
Trusteer
Mobile
Trusteer
Rappor...
Trusteer Solutions
And how they match the requirements
ECB/EBA Guidance How can IBM Security Trusteer help?
Risk Assessmen...
Summary
© 2015 IBM Corporation
Summary
Why IBM Security Trusteer
• 475+ leading global organizations put their TRUST in us
• Threat Intelligence gathered...
Q&A
© 2015 IBM Corporation
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, d...
Upcoming SlideShare
Loading in …5
×

Recent ECB/ EBA regulations how they will impact European banks in 2016

1,388 views

Published on

View on demand webinar: https://securityintelligence.com/events/recent-ecbeba-regulations-how-they-will-impact-european-banks-in-2016/

The recent European Central Bank’s (ECB) Recommendations for the Security of Internet Payments and European Banking Authority (EBA) regulations have mandated numerous requirements for European banks to enhance online fraud prevention practices. Most European banks are required to include additional capabilities in risk analysis, malware protection, and strong authentication to meet the security requirements.

Assaf Regev, Product Marketing Manager, IBM Security Trusteer, will expand on how the new regulations will impact the European financial sector and what your bank will need to do to not only comply but also to be more secure.

The key requirements for effective and sustainable online banking security as outlined by the ECB/EBA
The need for layered security – why present controls may not be enough
How IBM can help meet the ECB/EBA recommendations on time and on budget, while minimizing deployment, management and operational costs

Published in: Technology

Recent ECB/ EBA regulations how they will impact European banks in 2016

  1. 1. Trusteer Positioning ECB/EBA Recommendations for Security of Internet Payments: © 2015 IBM Corporation Monday, December 07, 2015
  2. 2. Agenda General information and milestones – Things to note The Guidelines The layered security approach How, why, and which IBM Security Trusteer product(s)? Responding to the Specific Requirements Summary / Next steps 2© 2015 IBM Corporation Summary / Next steps
  3. 3. August 2015 Guidelines define minimum requirements 2017 / 2018 Additional guidelines from the EBA are expected once the updated Payment Services Directive (PSD2) is published Milestones and Recommendations 3© 2015 IBM Corporation December 2014 EBA publishes the Final Guidelines on Internet Payments Security, based on the European Forum on the Security of Retail Payments (SecuRe Pay) minimum requirements that have to be fulfilled by PSPs under the PSD published Link to the Final Guidelines
  4. 4. Things to Note The recommendations constitute a “living document” The recommendations are descriptive (vs. prescriptive) The bank may address recommended solutions by other means The recommendations constitute minimum Regulations 4© 2015 IBM Corporation The recommendations constitute minimum expectations. It’s the responsibility of PSPs to monitor and assess their particular risks, develop their own detailed security policies and implement adequate security measures that are commensurate with the risks inherent in the payment services provided.
  5. 5. Final guidelines on the Security Of Internet Payments As per document issued in Dec 2014 R2 • Risk Assessment R3 • Incident Monitoring and Reporting R4 • Risk Control and Mitigation R7 • Strong Customer Authentication 5© 2015 IBM Corporation R7 • Strong Customer Authentication R8 • Enrolment for, and provision of authentication, tools and/or software delivered to the customer R9 • Log-in attempts, session time out, validity of authentication R10 • Transaction Monitoring R12 • Customer Education and Communication
  6. 6. The Guiding Principles Fraud prevention layers, listed in order of effectiveness Device Security • Ensuring the accessing device is secure and malware free User Authentication • Verify the authorized user and device with multifactor (tamper-proof) user authentication Transaction Monitoring 6© 2015 IBM Corporation Transaction Monitoring • Identify anomalous user behaviors and known fraud patterns Network Analysis • Correlate known fraud with other potentially fraudulent events Customer Awareness and Education • Ongoing customer education through continuous communication
  7. 7. Existing security controls Do they impact your business? 7© 2015 IBM Corporation Account &Transaction Restrictions Intrusive Controls Increased Authentication Challenges IncreasedTransaction Delays Increased Investigation Costs DisruptiveValidation & Verification
  8. 8. At a glance ECB Recommendations mapped to Trusteer’s solutions (I) Recommendation 2: Risk Assessment KC 2.1 (Risk Assessment) Trusteer Cybercrime Intelligence Recommendation 3: Incident monitoring and reporting KC 3.1 (Reporting) Trusteer Cybercrime Intelligence 8© 2015 IBM Corporation Recommendation 4: Risk Control and Mitigation KC 4.2 (Phishing) Trusteer Rapport and Trusteer Pinpoint BP 4.1 (Trojans) Trusteer Rapport, Trusteer Pinpoint, Trusteer Mobile Solutions (Mobile SDK, Secure Mobile Browser) AQ = Assessment Question BP = Best Practice KC = Key Consideration
  9. 9. At a glance ECB Recommendations mapped to Trusteer’s solutions (II) Recommendation 7: Strong customer authentication AQ 7.0.1 (Use of 2+ elements for authentication) Trusteer Pinpoint and Trusteer Mobile SDK AQ 7.0.4 (Protection of multi- purpose devices) Trusteer Mobile SDK; Trusteer Rapport; Trusteer Pinpoint 9© 2015 IBM Corporation AQ 7.0.8 (Protection of devices where secrets are stored) Trusteer Rapport and Trusteer Mobile SDK AQ = Assessment Question BP = Best Practice KC = Key Consideration
  10. 10. At a glance ECB Recommendations mapped to Trusteer’s solutions (III) Recommendation 8: Enrolment for and provision of authentication tools and/or software delivered to the customer AQ 8.1.1 (Protection of payments – safe and trusted environment) Trusteer Rapport, Trusteer Pinpoint, and Trusteer Mobile SDK AQ 8.1.1 (Software delivered to customers not under the bank’s control) Trusteer Rapport; Trusteer Pinpoint, and Trusteer Mobile SDK 10© 2015 IBM Corporation control) Trusteer Mobile SDK Recommendation 9: Log-in attempts, session time out, validity of authentication KC 9.1, KC 9.2, KC 9.3 (Log-in attempts, session time out, validity of authentication) Trusteer Pinpoint AQ = Assessment Question BP = Best Practice KC = Key Consideration
  11. 11. At a glance ECB Recommendations mapped to Trusteer’s solutions (IV) Recommendation 10: Transaction monitoring Overview (Trx Monitoring purpose) Trusteer Pinpoint KC 10.1 (Fraud prevention systems should detect malware in the session) Trusteer Pinpoint 11© 2015 IBM Corporation KC 10.4 (Trx Monitoring shouldn't delay transactions) All Trusteer's solutions work in real time, providing actionable results while the user is interacting with the site. KC 10.5 (Blocks should be maintained for as short time as possible) All Trusteer's solutions operate in real-time and are highly deterministic, providing per- transaction results avoiding blanket "blocking" of users AQ = Assessment Question BP = Best Practice KC = Key Consideration
  12. 12. At a glance ECB Recommendations mapped to Trusteer’s solutions (V) Recommendation 12: Customer education and communication Overview (reassure customers of the authenticity of the messages received) Trusteer Rapport and Mobile 12© 2015 IBM Corporation AQ = Assessment Question BP = Best Practice KC = Key Consideration
  13. 13. Trusteer’s Solution Overview © 2015 IBM Corporation
  14. 14. Online Banking Malware attacks against the website Account takeover Detects malware targeting OLB website Trusteer Pinpoint Malware Detection Trusteer Pinpoint Criminal Detection • Detect fraud risk • Identify cross channel attacks Holistic detection of fraud based on malware history and persistent device ID Trusteer’s multi-layered fraud protections R4, R7, R10 R4, R10 R4, R7, R9, R10 14© 2015 IBM Corporation Phishing and malware fraud Phishing and malware fraud Phishing and malware Trusteer Rapport • Detects and removes malware • Prevents future malware infections • Alert phishing attacks Trusteer Mobile SDK / Browser R2: Risk assessment, R4: Risk control and mitigation, R7: Strong customer authentication, R9: Log-in attempts, session time out, validity of authentication, R10: Transaction monitoring, R12: Customer education and communication R4, R7, R10, R12
  15. 15. Trusteer Pinpoint Criminal Detection Product Highlights Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint Criminal Detection Trusteer Mobile 15© 2015 IBM Corporation Correlates Device and Account Risk Factors to conclusively detect account takeover attempts Automated Criminal Device Detection feeds a Global Criminal Device Database Automated Fraud Rules Creation based on Real-time threat and attack intelligence Transaction Anomaly Detection
  16. 16. Trusteer Pinpoint Malware Detection Product Highlights Trusteer Pinpoint Criminal Detection Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Mobile 16© 2015 IBM Corporation Clientless detection of live Man-in-the-Browser (MitB) Malware Real-time alerts of high risk devices Updates automatically deployed without customer interaction and no business interruption Integrate data into existing systems and workflows
  17. 17. Trusteer Mobile Solutions Product Highlights Trusteer Pinpoint Criminal Detection Trusteer Pinpoint Malware Detection Trusteer Rapport Trusteer Mobile 17© 2015 IBM Corporation Captures Persistent Device ID and Device, User and Session Risk Factors Comprehensive Fraud Protection Across Bank Mobile Apps and Mobile Web Access Correlates Mobile-specific risk, Online Risk (malware and phishing) and Global Criminal Devices DB to prevent Cross-Channel Attacks
  18. 18. Trusteer Rapport Product Highlights Pinpoint Criminal Detection Pinpoint Malware Detection Trusteer Mobile Trusteer Rapport 18© 2015 IBM Corporation Compact Software Agent for PC and Mac – minimal impact on the end-user’s machine Transparently protects user credentials & website interaction Removes existing infections upon installation and alerts user & security team of potential phishing sites & credentials loss
  19. 19. Trusteer Solutions And how they match the requirements ECB/EBA Guidance How can IBM Security Trusteer help? Risk Assessment Risk Control and mitigation Incident monitoring and reporting Strong customer authentication 19© 2015 IBM Corporation Enrolment for, and provision of, authentication tools and/or software delivered to the customer Log-in attempts, session time out, validity of authentication Transaction monitoring Customer education and communication
  20. 20. Summary © 2015 IBM Corporation
  21. 21. Summary Why IBM Security Trusteer • 475+ leading global organizations put their TRUST in us • Threat Intelligence gathered from more than 270 million endpoints Helps prevent the ““““Root Cause”””” of Fraud Helps prevent the ““““Root Cause”””” of Fraud 7/10 Top U.S. Banks 9/10 Top U.K. Banks 4/5 Top Canadian Banks 21© 2015 IBM Corporation Reduce Operational Impact Reduce Operational Impact Utilize Global Malware Intelligence Service Utilize Global Malware Intelligence Service Improve Your Customer Experience Improve Your Customer Experience Banks Banks Banks Major European Banks 2/4 Top Japanese Banks Major Latin American Banks
  22. 22. Q&A © 2015 IBM Corporation
  23. 23. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOUwww.ibm.com/security © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

×