Public Safety Committee on April 8th, 2019

There may be bells at 5:00.

Agreed.

Good afternoon, everyone. Thank you very much for the opportunity to address the committee.

My name is Terri O'Brien. I lead the risk management practice at Interac Corp.

For my opening remarks today, my goal is to provide insights and recommendations on cybersecurity from our unique position in the financial services landscape. Many of you know Interac already. Like millions of Canadians each day, you use our products and services to withdraw money and pay and transfer funds with security and convenience.

What you may not know is that Interac is 100% Canadian-owned and operated. What sets us apart is not only our Canadian roots, but the trust we have established with Canadians over our 35-year history. Last year, Canadians made 6.6 billion transactions, moving over $415 billion in value across our suite of products, including Interac debit and Interac e-Transfer.

Interac has been in the business of facilitating real-time payments between Canadians for decades, including our Interac e-Transfer product, which has been facilitating real-time payments since 2002. Of course, this includes real-time 24-7 fraud detection. With real-time payments comes the need for real-time security, prevention and detection capabilities, which we've built up over our history. Our real-time cyber and fraud capabilities help Canadians digitally transact with confidence across a variety of devices and platforms, including mobile devices. At the same time, we adhere to our core values that have been central to our history, including corporate responsibility, safety and soundness.

Security is a core element of everything we do, whether it's combatting fraud across our network or keeping the personal financial information of Canadians private. Therefore, cybersecurity is something we think about a lot.

As our economy and society have become increasingly digital, it is no secret that the pace of cybercrime has accelerated. As I'm sure you've heard in some testimony, and as we've read and seen in reports, around the world it has never been easier for people to access cybercrime goods and services. Fraud-as-a-service and cybercrime-as-a-service websites currently sell everything from credit card numbers to social media account credentials and denial-of-service attacks. All of that is available with a single click and for several hundred dollars.

In that regard, Interac was very pleased to see the government establish the Canadian Centre for Cyber Security last year and make new investments in cybersecurity in the most recent budget. We also support the creation of the centralized cybercrime unit under the RCMP.

Interac is in a unique position at the centre of the Canadian financial services landscape. We operate as a central payments and digital information exchange to facilitate the interoperability of payments and related information among our Canadian banks, credit unions, caisses populaires, payment processors, businesses and Canadian consumers. Because of this, we are in a unique position where we can detect cybercrime, including fraud and money laundering, as it moves throughout our system and between those institutions.

This is a unique role that Interac plays at the centre of the ecosystem. Whereas each financial institution can detect fraud and money laundering only within its own customer accounts, Interac can see the criminal activity across institutions.

In order to pick up on these patterns of criminal activity, we employ sophisticated tools that utilize machine learning and predictive behavioural modelling. When our systems detect high-risk or suspected fraudulent activity, actions are immediately taken, including suspending or blocking the transactions.

We also communicate directly with institutions across the financial system. We collaborate and share information to strengthen our collective resilience and security in the Canadian economy. A practical example of this for the committee is when we detect that financial criminals are utilizing many different accounts to target a specific bank, union or caisse populaire. In these circumstances, we alert the institution that is being targeted, while simultaneously working to block the activity and secure vulnerabilities at the various sending institutions.

Because cybercrime doesn't have business hours, neither do we. Our detection and prevention systems and staff operate 24-7, enabling us to counter cybercrime in near-real time.

We are constantly evolving our approach in order to keep Canadians safe when transacting over our networks. In 2018, our fraud risk mitigation practices prevented over $100 million in fraud losses, and we had over 4,300 malicious websites taken down.

We also work together today with the RCMP and local law enforcement to support and assist in their investigations of fraud and related criminal activity. Protecting Canadians' financial information amidst the changing payments landscape is a top priority for Interac.

Since the advent of mobile wallets, payments are now made through smart phones and other devices, as mobile payments are growing in popularity among Canadian consumers and businesses every day.

In order to secure the payments made via the Interac debit network on mobile devices, Interac became one of the first domestic debit networks globally to establish its own token service provider, or TSP. Our TSP ensures that personal identifiable information, including account numbers, is replaced with randomized information, or tokens, that is of no use to hackers or criminal activity.

Expanding the use of tokenization is one way we can enhance cybersecurity for the benefit of Canadians. Collaboration and coordination among private and public entities are also pivotal to addressing the volume of cyber-threats that exist today.

We see three specific areas of focus here that can greatly benefit Canadians. The first is information sharing with the new cybercrime unit in the RCMP. The second is a more targeted approach to detecting cybercriminals. The third is ongoing public education and awareness.

Interac believes there is an opportunity to reduce impediments that currently exist in order to enable more open sharing of known cyber-threats between Interac and the government through secure and trusted channels. This should include looking at legislative changes, as well as safe harbour provisions, to open up communication channels and address concerns around enforcement actions.

Second, when it comes to detecting cyber-threats, we see benefits in utilizing a more targeted approach as a key point of emphasis. The way threats are detected today is akin to a scattershot, in that all transactions must be scanned and analyzed with equal importance. A more efficient model would be one that focuses on lists of known cybercriminals and cyber-threats and those vectors and behaviours, utilizing information from government and law enforcement, as well as financial institutions and Interac.

Interac could play a pivotal role here, given our ability to detect criminal activity across our network and our connection to almost 300 financial institutions. Interac, at the centre of the ecosystem today, could represent a secure information exchange with the RCMP in the future, to allow both organizations to take a targeted approach in detecting and preventing crime, rather than scanning all transactions. We believe government can and should play a leadership role here by establishing and maintaining clear processes and lines of accountability.

Finally, at Interac we recognize there is a need to provide ongoing public information and education about cyber-threats and security best practices to support an increased knowledge of the current risks and how to keep Canadians safe. We regularly conduct proactive campaigns designed to educate and inform. We also participate in forums such as the Competition Bureau's public education working group to share our insights and results. We also collaborate actively with the RCMP and local law enforcement.

We look forward to further collaboration with the government on information sharing, targeted detection, and public education in the future.

To conclude, I would like to emphasize Interac's commitment to cybersecurity and our willingness to work together with the government, as we do today. We support recent initiatives and investments made by the federal government, and we believe that continued education and discussions like these can advance industry-wide solutions to help keep Canadians safe from cybercrime.

Thanks very much.

Good afternoon.

My name is Justin Ferrabee. I'm the Chief Operating Officer of Payments Canada.

Thank you for inviting Payments Canada to contribute to the study.

Let me begin by reassuring the committee that security is Payments Canada's highest priority in all we do. It commands focus, resources and investment, above all other needs. This means that we design, review, modify, update and operate our systems as we monitor risks. We see security as a prerequisite for innovation in the payment space. We remain in a constant state of vigilance and respond decisively, as required, to ensure that we manage risk appropriately and that we remain secure.

Over the next few minutes, I'll share who we are and what we do, our collaborative approach to cybersecurity, and our recommendations for reducing the risk in the financial sector.

Payments Canada operates Canada's national clearing and settlement systems. While Payments Canada is a little-known entity to most Canadians, it plays an essential role in the economy and in the day-to-day operations of financial institutions and businesses across the country. Payments Canada's systems ensure that payments between financial institutions—the aggregation of all payments made in the economy—are safely and securely completed each and every day. The value transferred is over $50 trillion annually.

We are guided by our mandate and the public policy objectives of safety, security and efficiency of the Canadian clearing and settlement system. In consultation with members and stakeholders, we also maintain a framework of rules and standards that mitigate risk and facilitate the exchange of payments and the deployment of emerging payment products and services.

Given that cyber-threats evolve rapidly, Payments Canada is continually raising its defences. We have a cybersecurity action plan based on secure design principles and industry standards. The plan ensures that we are constantly watching for and closing gaps to maintain the resiliency of our operations.

Payments Canada operates within a network of financial institutions, regulators and other financial market infrastructures. We are held to the highest global security standards, including “Guidance on Cyber Resilience for Financial Market Infrastructures” from the Bank for International Settlements, the SWIFT customer security program, and the NIST cybersecurity framework.

We also work closely with the Bank of Canada to ensure that we meet the requirements for mitigating cyber-threats through internal and external assessments. Outside of these requirements, we establish rules and standards around the security of payment items and the connectivity of systems, to which our members must adhere.

From a wider, collaborative industry perspective, we work very closely with partners in the financial sector through cybersecurity industry groups such as the Canadian Financial Services Cybersecurity Governance Council, the Canadian Bankers Association cybersecurity specialist group, and the Financial Services Information Sharing and Analysis Center.

We also participate in and lead industry exercises for business continuity and cyber-resilience and share intelligence with partner agencies and organizations in the cyber community. These connections include the Canadian Centre for Cyber Security, Public Safety's critical infrastructure protection branch, RCMP's national critical infrastructure team, and the Canadian Cyber Threat Exchange. Further to these collaborations, we are actively engaged in the international cyber-risk community with our partners at the Bank of Canada.

Through all of these activities, we continually rank and benchmark ourselves internationally, and we are consistently in the top 1% of the global industry for safety and security.

Working closely with our financial institution members, the Bank of Canada and the Department of Finance, we are currently undertaking a major program to modernize Canada's payment systems to meet the growing demand for secure and innovative new payments products. Modernization will result in new payment infrastructure designed to strengthen the payment system.

Through our diligence and movement toward modern payment systems, we have identified gaps that exist outside our realm, which this study may be able to influence. There is a clear need for public-private coordination in responding to attacks against critical infrastructure and, with that, a single, clear point of contact in the public sector. These improvements will help us better share information, in a protected fashion, and help us manage and prevent future attacks. The release of the national cybersecurity strategy in 2018 and the recent developments with the Canadian Centre for Cyber Security will help in this area.

At the same time, the recovery of systemic cyber systems must be prioritized in the event of a widespread disruption. Policy that extends cybersecurity requirements to the supply chain of critical systems would help to improve the resilience of dependent components to the national infrastructure and the financial system as a whole.

Investments in policies and cybersecurity can also support digital supply chain risk. The modern supply chain often includes hundreds, or thousands, of software components that are embedded in critical systems sourced from companies and communities all around the world. It is a significant task to track and inventory all the ingredients of a system and make sure that those ingredients remain safe.

In the food safety world, we have labelling standards that inform customers about product ingredients and nutritional facts, but in the software world, we have no labelling standard to help consumers understand what components and what risks might exist within the software. Policy to support digital supply chain risk is necessary, and system labelling of software components should be studied for its benefits to the economy.

We also feel strongly that more could be done to address the cybersecurity skills shortage. There is already a gap in capable people and, given the increasing severity of threats, there is a need for policies and strategies to develop, attract and retain skilled workers. This would ensure that Canadian companies are able to safely grow and innovate as they expand their use of digital technologies.

Finally, we see a need to equip Canadians with the knowledge and awareness of good cyber hygiene to protect their personal and financial information online. For instance, right now millions of Canadians are seeking technologies and financial applications that mimic the services of open banking. In seeking such services, they aggregate account information across multiple platforms and thereby expose themselves to cyber-threats.

Payments Canada was pleased to see that several of these issues, and commitments to address them, were included in the 2019 federal budget, but we know that cyber-threats are not going away. They are evolving just as quickly, if not faster, than digitization and modernization across all industries. We must work together to build resilience in the face of these threats in a way that ensures that we do not hinder the pace of innovation.

While every organization has the responsibility to protect itself from cyber-attacks, doing so as a collective or a network is much more effective. Cybersecurity is an issue that affects the Canadian economy and our national security as a whole. Payments Canada is eager to contribute and support a network defence strategy.

Thank you.

Last year, Interac experienced 4,300 of these phishing websites. We worked with a leader in the industry, a partner of ours, to take them down. It's a similar partner that works with many financial institutions. The larger financial institutions experience many more phishing incidents or fraudulent websites that are put up.

The websites are intended to collect personal, identifiable information—login credentials or other such means of identity—of Canadian consumers, so they can take over their bank accounts or other payment processing to extrapolate the money from their accounts. That's the intention of the websites. We are finding that they've been getting more sophisticated in recent years. I think folks would agree that they're getting better at stealing logos and branding and making it look like a legitimate website.

We do participate heavily in public education in this regard. It's very important to know that your financial institution isn't going to send you links and emails to click through to these malicious websites. There are ways that we educate the public to double-check that they are, in fact, on their own financial institution's website or Interac's website, and not on a spoofed website.

I would say no, actually. The mobile technology is more secure. It is akin to the tap technology, so it uses the EMV card technology. It's quite a layered security. I also mentioned tokenization. What's actually stored on the phones is a token, not the actual card number. It leverages the tap technology, which is quite secure. We have almost eliminated fraud in the Interac debit business. A lot of that has to do with chip and PIN. The residual, which is really at one basis point—it's as low as it could possibly be—stems from exploits in the U.S., where there are still terminals with a magnetic stripe, but effectively, in Canada, that technology is extremely secure.