Questions You Should be Asking NOW to Protect Your Business!

Transcription

1 Questions You Should be Asking NOW to Protect Your Business! Angi Farren, AAP Senior Director Jen Wasmund, AAP Compliance Services Specialist 31 st Annual Conference SHAPE YOUR FUTURE April 23, 2013 Regional Payments Associations, through their Direct Membership in NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. DISCLAIMER: This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. UMACHA 2013; All rights reserved. 2 1

2 Fraud & CyberCrime Continue.. Malware, Network Intrusion, Money Mules ACH Security Legal Cases in the News Corporate Account Takeover New ACH Security Framework Rules Defined Sound Business Practices Tips to keep your Company ahead of new NACHA Rule Requirements Solutions Available to you from your Financial Institution Strong Passwords Activity Reporting Fraud/Resources Questions? UMACHA 2013; All rights reserved. 3 Did you know that 860,000 attempts are made EACH day to hack into systems? There are about 75,000 new strings of malware EACH day? Estimates losses from account takeover fraud were over $4.9 billion in 2012 (increase of 69% from 2011) 1 1: Mitigating Online Account Takeovers: The Case for Education, Retail Payments Risk Forum, April 2013, UMACHA 2013; All rights reserved. 4 2

3 Used to Facilitate Financial Crimes Typical malware packages sold in the criminal underground: Steal account credentials Delete and steal cookies Redirection Allow remote access to the victims computer Bot-Nets UMACHA 2013; All rights reserved. 5 Access to Users Network Network Admin Rights Capture Credentials Steal Customer & Employee Information Sophisticated Programs UMACHA 2013; All rights reserved. 6 3

4 US Citizens Launder Stolen Money Work From Home Foreign Company Commission 6-10% Financial Incentive To Act Fast Frequently Fueled by Economic Conditions & Unemployment UMACHA 2013; All rights reserved. 7 You unexpectedly receive notice that you are getting a grant from the government or a foundation and a processing fee is required. A company hires you to work at home as a mystery shopper or processing payments and instructs you to send money somewhere as part of the job. Someone sends you more than the asking price for an item you are selling and instructs you to wire the extra money somewhere else. A stranger sends part of the profits you were promised in a foreign business deal and asks you to pay legal fees to get the rest. UMACHA 2013; All rights reserved. 8 4

5 65-Year-Old Woman in Texas Admitted she suspected might not have been legitimate, but decided she needed the money too badly to turn it down. Made $500 on $9,099 Transaction Sent Funds to Eastern Europe UMACHA 2013; All rights reserved. 9 UMACHA 2013; All rights reserved. 10 5

6 PATCO Construction v. People s United Bank From May 7 May 16, 2009, online transfers totaling over $580,000 were made from PATCO s account at their FI Dispute surrounding whether the bank offered commercially reasonable security procedures Initial ruling was in favor of the bank, however a July 2012 US District Appellate Court reversed this decision People s United and PATCO settled out of court for the amount of the losses, plus an additional $45,000 in interest expenses UMACHA 2013; All rights reserved. 11 Choice Escrow Land & Title v. BancorpSouth A single wire transfer request for $440,000 was submitted through BancorpSouth s online banking system from Choice Escrow s account Choice Escrow had previously declined security procedures offered by the bank for online transactions, specifically a requirement for dual control on all transactions A March 18, 2013 decision from the US District Court for Missouri s Western District ruled in favor of the bank due to the fact the company declined more stringent security procedures offered to them UMACHA 2013; All rights reserved. 12 6

7 Corporate Account Takeover Form of corporate identify theft where a business online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Involves compromised identity credentials and not about compromises to the wire system or ACH Network ACH Fraud and Wire Fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. UMACHA 2013; All rights reserved. 13 Account Takeover UMACHA 2013; All rights reserved. 14 7

8 Companies and their FIs Must AVOID: Apathy & Pointing Fingers (unproductive) Stagnant Approaches (wait and see) Thinking It will not happen to us Thinking We know our customers and we are different UMACHA 2013; All rights reserved. 15 You ve heard about CAT and other types of crime so what are you trying to protect? Your networks, your data, your systems, your company s deposit account balances, your reputation; in the end all the things you do that make your company what it is! UMACHA 2013; All rights reserved. 16 8

9 Aimed at protecting the security and integrity of certain ACH data throughout its lifecycle Establishes minimum data security obligations for ACH Network participants to protect ACH data within their purview Intended to be consistent with other data security obligations of ACH Network participants, without duplicating compliance burdens UMACHA 2013; All rights reserved. 17 Requires non-consumer Originators, Participating DFIs, Third Party Service Providers, and Third-Party Senders to establish, implement, and, as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of Entries. These policies, procedures, and systems must: Protect the confidentiality and integrity of Protected Information; Protect against anticipated threats or hazards to the security or integrity of Protected Information; and Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person UMACHA 2013; All rights reserved. 18 9

10 Protected Information defined as the nonpublic personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record Definition not only covers financial information, but also includes sensitive non-financial information (such as health information) that may be incorporated into the Entry or any related Addenda Record Rule applies to consumer information only, which is consistent with existing regulations and also with the approach of aligning the Security Framework with existing industry regulations and guidance UMACHA 2013; All rights reserved. 19 Access Controls: Security policies, procedures, and systems of ACH participants covered by this Rule must include controls on system access that comply with applicable regulatory guidelines Impacted systems include all systems used by the ACH participant to initiate, process, and store Entries UMACHA 2013; All rights reserved

11 As noted in a NACHA published document: The Rules do not establish oversight requirements for ODFIs attempting to monitor and enforce the compliance with these provisions, instead, as with all other provisions of the Rules, there is a requirement that ODFIs perform due diligence with respect to their Originators and 3 rd party senders that is sufficient to form a reasonable belief that the originator or 3 rd party sender has the capacity to perform it s obligations in conformance with the Rules. UMACHA 2013; All rights reserved. 21 Originators: Determine if existing policies, procedures, and systems are in place that would enable it to comply Originators that do not have such policies, procedures, and systems in place will need to establish and/or update policies, procedures, and systems to ensure compliance ODFIs: Determine if existing policies, procedures, and systems are in place that would enable it to comply ODFIs that do not have such policies, procedures, and systems in place will need to establish and/or update policies, procedures, and systems to ensure compliance Ongoing effort to make commercially reasonable efforts to verify the identity of its Originators and Third-Party Senders Add verification to annual Rules Compliance Audit UMACHA 2013; All rights reserved

12 1. Initiate ACH and wire transfer payments under dual control 2. Online commercial banking customers execute all online banking activities from a dedicated, stand-alone, and completely locked down computer system from where and web browsing are not possible. 3. Limit administrative rights on users workstations to prevent inadvertent downloading of malware (no user web surfing with admin rights) 4. Reconcile all banking transactions on a daily basis. 5. Financial institutions and companies should implement an awareness communications program to advise customers of current threats and fraud activities UMACHA 2013; All rights reserved Perimeter router blocking of all unnecessary ports 2. Intrusion Prevention Systems at perimeter and internal network 3. Firewalls with a default deny configuration 4. Layered anti-virus systems with different vendors at key access points and services 5. Web proxy systems with automated malicious site blocking and outgoing activity analysis 6. Perimeter SPAM and malicious content filtering 7. Least Privilege Doctrine for all users to prevent unauthorized software installation and assist in blocking malicious code installation 8. Vulnerability scanning program with patch and mitigation service levels defined 9. Comprehensive patch mgmt program that patches critical and high risk vulnerabilities within a short period of time. 10. Web and surveillance tools to identify information leakage and compromise. 11. Security Incident Mgt capability to correlate events 12. Subscribe and CONTRIBUTE to appropriate information sharing systems 13. Prepare and implement an Incident Response Plan 14. Develop a relationship with your local FBI and USSS Field Offices UMACHA 2013; All rights reserved

13 Positive Pay, Reverse Positive Pay Debit blocks and filters Stop all debits vs. stop all but specific debits Separate accounts for separate processes One for payroll, another for receivables, etc. Account reconciliation DAILY!! Balance Reporting UMACHA 2013; All rights reserved. 25 What is it? Phone call (voice authentication or just a simple phone call) Text message (SMS) Secure Fax Why do it? To authenticate that the file or transaction is what you intended to generate Fraud prevention method but may also assist in preventing unintentional processing errors (sending the wrong week s payroll file to your FI) UMACHA 2013; All rights reserved

14 FDIC's Cyber-Fraud and Financial Crimes Section FTC s Complaint Center Internet Crime Complaint Center (IC3) UMACHA 2013; All rights reserved. 27 Better Business Bureau: Data Security Made Simpler ABA: The Small Business Guide to Corporate Account Takeover U.S. Chamber of Commerce: Internet Security Essentials for Business FCC: Small Biz Cyber Planner & 10 Cybersecurity Strategies for Small Business Biz.pdf NACHA: Sound Business Practices for Businesses to Mitigate Corporate Account Takeover FTC Bureau of Consumer Protection: Protecting Personal Information A Guide for Business UMACHA 2013; All rights reserved

15 UMACHA OR Speakers Today Angi Farren, AAP & Jen Wasmund, AAP Addresses: & UMACHA 2013; All rights reserved