Lecture to PhD student summer school on security and privacy from financial industry and consumers perspectives

1. Perspectives on consumers
privacy and security tradeoffs
Marco Morana
Global Industry Committee
OWASP Foundation
OWASP
Summer School on
Computer Security &
Privacy Copyright © 2011 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
27-31 August 2012 under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org

2. Do you know OWASP ?
OWASP 2

3. About myself and my career journey
OWASP 3

4. Privacy is one of the biggest problems in this
new electronic age…
…At the heart of the
Internet culture is a
force that wants to find
out everything about
you. And once it has found
out everything about you
and two hundred million
others, that's a very
valuable asset, and
people will be tempted
to trade and do
commerce with that
What I've Learned: Andy Grove asset. This wasn't the
Former Chairman of Intel, 63, information that people
Santa Clara, California were thinking of when they
http://www.esquire.com/features/what called this the information
-ive-learned/what-ive-learned-archive age
OWASP 4

5. Presentation Objective & Agenda
 Objective: different perspectives in regarding of privacy
and the trade offs between different needs of consumers
and businesses and future trends
 Agenda
 PART I: Doing business with customers' private
information
 PART II: Threats to consumers private information and
measures to protect it
 PART III: Future trends affecting data privacy
OWASP 5

6. PART I
Doing Business with Customer’s Private
Information
OWASP 6

7. Factors that Limit Personal Privacy
Law
Enforcement
Social
Networking Personal Data
Privacy
Targeted
Marketing
Taxation
OWASP 7

8. Factors that Enable Personal Data Privacy
Anonymity
Data Privacy
Laws &
Controls Personal
Confidentiality Data Privacy
Security
Controls (e.g.
Encryption)
OWASP 8

9. …about Privacy
1. Privacy is a personal right
2. There are different types of privacy, health, political,
race/sex etc financial privacy is important for the
avoidance of fraud, identity theft
3. Privacy is traded off with different needs such as
networking, business, marketing, compliance, law
enforcement
4. Businesses collect, process and store customers’ private
and confidential information for different reasons
5. Data confidentiality and privacy have similar goals
6. New technologies such as social networks, online services,
cloud computing challenge the notion of personal privacy
7. Perspectives about privacy change with time
OWASP 9

10. Private And Personal Identifiable Information
 Private information and Personal
Identifiable Information (PII) uniquely
indentify an individual. What is private
and PII varies among countries, e.g.:
 US SB1386: Name and SSN, Driven
License No., Account /Credit/Debit
Acc No + PIN
 EU directive 95/46/Article 2a:
'personal data any information
relating to an identified or
identifiable person, identification
number or to one or more factors
specific to his physical,
physiological, mental, economic,
OWASP 10
cultural or social identity

11. Data Breach Notification Rules in Italy
.. Legislative Decree 69/2012 (into force since June 1st 2012
implementing in Italy Directive no. 2009/136/EC):
 Definition of personal data breach a breach of security
leading to the accidental destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
 Procedures to deal with a personal data breach:
 Shall notify the Italian Data Protection Authority (“DPA” or
Garante) without undue delay (e.g. 72 hrs for ISPs);
 Shall notify the subject but the notification unless the
provider is able to give evidence to the DPA that it has
implemented appropriate security measures
 Failure or delay to notify a personal data breach to the DPA
is sanctioned with a fine ranging between EUR25,000 to
EUR150,000 OWASP 11

12. Trade offs Between Business and Privacy Needs
 Collection,  Protection of C-PII
Processing of and sensitive
Customers PII (C-PII) information in storage
and Sensitive Info. and transmission
 Sharing of C-PII and  Disclosure &
personal information Consent to which 3rd
with 3rd parties and affiliates
parties/affiliates C-PII is shared with
 Compliance with  Notifications to
privacy laws, data customers when
breach notification private data is
laws and security collected and is either
policies lost or compromised
OWASP 12

13. Collection and Processing of PII
..in case of financial institutions, PII is:
 Collected online and at a branch when opening
bank accounts, apply for loans, run credit report,
apply for credit cards, online banking
 Processed and stored to identify/verify
customer by asking the last for digits of SSN and
ACC# for example:
 Over the phone for bank account balance and
payments of bills
 Online user validation for resetting a
password/PINs
 Online for authenticate a user with
challenge/questions
OWASP 13

14. Collection and Processing of PII Examples
OWASP 14

15. Private Data Collection Examples
OWASP 15

16. PART II
Threats to private information and measures to
protect it
OWASP 16

17. Statistical Data of Data Loss Incidents (*)
 Hacking and external attacks are the major cause of private
data losses and increasing (32% to 61% and 53% to 75% )
 NAA, SSN, DOB represent the majority of private data
record last year, this year are PWD, EMA and SSN
(*) Source:
DataLossDb.org
http://www.datalossdb.
org
OWASP 17

18. …In the space of one hour, my entire digital
life was destroyed.
First my Google account was taken
over, then deleted. Next my Twitter
account was compromised, and used
as a platform to broadcast racist and
homophobic messages. And worst of
all, my AppleID account was broken
into, and my hackers used it to
remotely erase all of the data on my
iPhone, iPad, and MacBook
(*) Source:How Apple and Amazon
Security Flaws Led to My Epic Hacking
http://www.wired.com/gadgetlab/2012/
08/apple-amazon-mat-honan-hacking/
.. all you need in addition to someone’s e-mail
is a billing address and the last four digits of a
credit card
OWASP 18

19. Cost to Businesses for Loss of PII
1. Data breach costs x data record lost: $ 222/record (*)
2. Out of pocket costs x identity fraud incident: $
631/victim/incident (**)
(*) Source: 2011 Cost of a Data
Breach: United States, Ponemon
Institute and Symantec, March 2012
(**) Source: The 2011 Identity Fraud
Survey Report by Javelin Strategy &
Research by Javelin Strategy &
Research
http://www.identityguard.com/downloads/j
avelin-2011-identity-fraud-survey-report.pdf
OWASP 19

20. Security Measures And Protection of Privacy
 Business protect their customers private
information with:
 Information Security Policy: Requirements
for protection of Confidentiality, Integrity and
Availability (CIA) of customers private data
 Data classification: Public, Internal,
Confidential, PII, Restricted
 Security measures:
 Controls: Authentication, Entitlements,
Encryption, Session Management,
Auditing & Logging;
 Measures: Security Audits;
 Information Security and Privacy Officers
OWASP 20

21. Opt out Privacy Controls: Privacy Notices From
US Banks
OWASP 21

22. Opt In Privacy Controls: Cookies & Preferences
OWASP 22

23. PART III
Future trends affecting data privacy
OWASP 23

24. Individuals’ Awareness of Privacy
“Maybe Zuckerberg is right. The mores of privacy are
changing, and “people don’t want complete privacy.” Teens
may be the first adopters of this change, Source
http://trends.myyearbook.com/2010/07/facebook-privacy-issues-not-an-issue-for-teens/
OWASP 24

25. Adoption of New Technologies And New
Challenges For Consumer’s Privacy
2017
2015
2012
2010
2007
Face
2005 Recognition
Biometric
Authentication Gesture
2000 Smart- Big data
Recognition
phones Virtual
BYOD Assistants
1997 Social Cloud computing Internet of
Internet Networks
Location aware things
Webmail
applications Social TVs
Mobile Payments
Social Analytics
OWASP 25

26. Law Enforcement vs. Individual’s Privacy
Sources: https://www.eff.org
OWASP 26

27. Company’s Privacy Practices Are
Increasingly Under Scrutiny
OWASP 27

28. Future Privacy Legislations in EU
1. EU regulation for 27
countries
2. Any processed PII data for
EU citizens (include IP
addresses, GPS location
data)
3. 24 hours data breach 6. Fines up to
notification 2% of
company
4. Mandatory security
annual
assessments
worldwide
5. EU citizens will have the turnover
right to request extended (*)
Source:http://www.donneespersonnelle
s.fr/6-things-you-need-to-know-about-
erasure of their personal data the-new-eu-privacy-framework
OWASP 28

29. Open Questions
 Questions for consumers:
1. What are my privacy rights ?
2. How I can control my privacy ?
3. Which PII can be disclosed and to who ?
4. Who is legally liable for PII data that is lost
 Questions for businesses:
1. Which are the privacy rights of my customers ?
2. Which security policies protect customer’s PII in
compliance with privacy laws?
3. How soon I need to inform my customers of a
breach of PII and/or identity theft fraud ?
4. When customers PII can be disclosed to law
enforcement ?
OWASP 29