Information Security in the Debt Collections Industry
description
Transcript of Information Security in the Debt Collections Industry
Fine
Tuned
Machines
Information Security in the Debt Collections Industry
Securing Data Transmitted to External Partners
March 13th, 2010
Fine
Tuned
Machines XYZ, a Debt Collections Company
• The market leader Debt Collections firm with over $800 million in Market Capital
• Employs Debt Collections in many areas, including bankruptcy and credit debt, auto recovery, municipal accounts
• Purchases and manages debt for major clients such as Bank of America, Chase, HSBC, Toyota and GMAC
• Complies with Federal Trade Commission regulations:– Fair Credit Reporting Act– Fair Debt Collection Practices Act
3/13/2010 2MSIT 458 - FTM Group
Fine
Tuned
Machines XYZ Brand
XYZ is a secured and trusted partner of many Banks and Finance Companies
• Strives to build relationships with the “debt sellers”• Make debt sales “pain free” for the Sellers• Ensure Data Security
3/13/2010 3MSIT 458 - FTM Group
• Employ scoring model on potential debt purchase to negotiate with the Sellers
• To achieve the goal of collecting on debts, XYZ is “in the business of purchasing information”
Fine
Tuned
Machines Business Problem
3/13/2010 MSIT 458 - FTM Group 4
XYZ is forced to use various data transmission and receipt methods set by some external partners to maintain strong relationships.
Because of this, the XYZ must address each data transmission and receipt method in their security policy and focus on internal efforts to protect their data.
Fine
Tuned
Machines Data Flow for Debt Collections
3/13/2010 MSIT 458 - FTM Group 5
Fine
Tuned
Machines Data Transmission Methods
• Email• FTP• HTTP / Secured Website
3/13/2010 MSIT 458 - FTM Group 6
Fine
Tuned
Machines Business Process: Email
3/13/2010 MSIT 458 - FTM Group 7
Incoming Records from Debt Sellers
Stored Locally: Hard drives and Servers
NameSSN
Debt Acct #Debt AmountsPhone Number
Address
Fine
Tuned
Machines Email Transmission: External
3/13/2010 MSIT 458 - FTM Group 8
To Lawyers/ Courts To Third Parties
Fine
Tuned
Machines Email Transmission: Types of Threats
3/13/2010 MSIT 458 - FTM Group 9
Fine
Tuned
Machines Data Transmission Methods
• Email• FTP• HTTP / Secured Website
3/13/2010 MSIT 458 - FTM Group 10
Fine
Tuned
Machines FTP Channel: Purpose & Usage
What is FTP?FTP: file transfer protocol (application layer) based on a client/server
architecture that is used to transfer (download/upload) files over network (public/private).
Company Profile: FTP> Usage (internal & external): frequently-heavily > Type of data: large files with highly sensitive PII> User community: wide diversity (business/technical) ~ 40 users> Landscape: software/hardware/network> Top concerns: Security, Automation, Intuitiveness, & Reliability
3/13/2010 MSIT 458 - FTM Group 11
Fine
Tuned
Machines FTP Channel: Current Challenges
• Pressing concern:–FTP is inherently not secure
• Common Attacks –Injection Attack–Bounce Attack–Brute Force Attack–Steal Attack
3/13/2010 MSIT 458 - FTM Group 12
Name: Troj/JSRedir-RSpreads: Web browsingPrevalence: HighDetected: 04/30/2009Category: Virus/spywareType: Trojan
Fine
Tuned
Machines Data Transmission Methods
• Email• FTP• HTTP / Secured Website
3/13/2010 MSIT 458 - FTM Group 13
Fine
Tuned
Machines Forms of External Communication• PACER
– Use website to upload court documents
• Debt Sellers– Use secured websites to download/upload information in
various formats
• Law Firms– Use of Automated Collection Controls document
management outsourcing
3/13/2010 MSIT 458 - FTM Group 14
Fine
Tuned
Machines Hypertext Transfer Protocol (HTTPS)
• Used to create secure communication over an unsecure network.
• Not a new protocol per se, but a combination of HTTP over Transport Layer Security (TLS) over port 443.
• TLS uses RSA public key encryption in 1024 or 2048 bit key lengths.
• The client downloads a signed public key certificate with is authorized by a certificate authority.
3/13/2010 MSIT 458 - FTM Group 15
Fine
Tuned
Machines Possible Attack Vectors
• JavaScript (PACER)– Execution of malicious code that could exploit a
security risk• Web Browsers (PACER, Debt Sellers, Law Firms)– Malicious plug-ins can exploit user’s machines.
• Operating Systems (PACER, Debt Sellers, Law Firms)– Although this attack’s magnitude has been
mitigated over the years, patch management and application is still an important security policy
3/13/2010 MSIT 458 - FTM Group 16
Fine
Tuned
Machines HTTPS attacks are possible!
• In September of 2009 a Microsoft API was exploited to create forged CA certificates.
• User accepted forged certificate automatically.• This attack affected Internet Explorer, Safari,
and Chrome before patch.• Author of SSLSNIFF software demonstrated
this attack!– His PayPal account was revoked after demonstrating the
attack to eBay. Jerks!
3/13/2010 MSIT 458 - FTM Group 17
Fine
Tuned
Machines
Consequences and Costs
3/13/2010 MSIT 458 - FTM Group 18
Fine
Tuned
Machines Legal Implications and Costs
3/13/2010 MSIT 458 - FTM Group 19
Major Fines are levied by the FTC for ineffective controls:
Damaged relationships with Sellers could be catastrophic to XYZ (Brand Equity)
• FTC fines Rental Research Services $500,000 for “unfair acts or practices” in violation of FTC Acts.
• FTC fines ChoicePoint for data breaches ranging from $275,000 to $500,000 on separate occasions
Fine
Tuned
Machines Data Security Costs
• According to a study by the Ponemon Institute, “cost of a data breach rose for the fifth year to $204 per compromised record”
3/13/2010 MSIT 458 - FTM Group 20
• Data Breach expenses are not occurring in companies as often as in the past
• In the same study, 42% of companies surveyed stated the biggest threat was “mistakes made by third party vendors and company partners”
• Largest breach: over 100,000 records = $31 million cost to the breached firm
Fine
Tuned
Machines
Recommendation for XYZ and Data Security
3/13/2010 MSIT 458 - FTM Group 21
SLOW
STOP GO
Fine
Tuned
Machines Unified Solution
• Policies
• Firewall Appliance
–Proxy capabilities
–IDS/IDP
–Anti-virus scanning
3/13/2010 MSIT 458 - FTM Group 22
Email Https FTP
Email Https FTP
Email Https FTP
Email Https FTP
Fine
Tuned
Machines Unified Solution
• Host Level Antivirus
• Client Software
• Specified User Accts
3/13/2010 MSIT 458 - FTM Group 23
Email Https FTP
Email Https FTP
Email Https FTP
Fine
Tuned
Machines Solution Cost Analysis
3/13/2010 MSIT 458 - FTM Group 24
Estimated Users: 400Total Sites: 3Grand Total: $28,700
Fine
Tuned
Machines
3/13/2010 MSIT 458 - FTM Group 25
QUESTIONS