Auditing Wire Transfers and ACH Transactions

Transcription

1 Auditing Wire Transfers and ACH Transactions Tuesday, June 18, :15 AM 11:15 AM Presented by: John David McLeod, CPA, CISA, CITP Manager McNair, McLemore, Middlebrooks & Co., LLC 389 Mulberry St., Macon, GA Phone: (478)

2 Today s Agenda FFIEC guidance Recent statistics on account takeover How account takeover works & examples Recent court cases Internal controls slide 2

3 FFIEC Guidance Stated institutions should rely on layered security approaches. Stated not all transactions have the same risk. Specifically required institutions to implement solutions to (at a minimum): Detect and respond to suspicious activity Have better control of administrative functions slide 3

4 Recent Password Hacks Living Social - April 26, million customers including addresses, passwords and DOB Yahoo - July ,000 accounts LinkedIn - June million accounts Zappos (online shoe store) January million accounts exposed, including passwords Dropbox - July used stolen usernames & passwords from other hacks to sign into accounts slide 4

5 Recent Password Hacks When you consider approximately 55% of Americans use the same login and password across multiple platforms Password slide 5

6 Examples of Layered Security Anomaly Software Out-of-Band Verification Out-of-Wallet Questions Login / Password slide 6

7 Corporate Account Takeover Corporate account takeover is a type of business identity theft in which a criminal entity steals a business s valid online banking credentials. 1 Usually results in a fraudulent wire/ach. 1 slide 7

8 What About Statistics? slide 8

9 Monetary Losses to Fraud 7% 8% 8% 22% 55% < $100K $100K - $500K $500K - $2 million > $2 Million Not Sure Source: 2012 Faces of Fraud Survey, ISMG slide 9

10 Non-Monetary Losses Due to Fraud Loss of Productivity 59% Reputation 37% No Loss 29% Customer Accounts 26% Regulatory Scrutiny 14% 0% 10% 20% 30% 40% 50% 60% 70% Source: 2012 Faces of Fraud Survey, ISMG slide 10

11 Origin of Breach Threats Percent Most threats from China are not monetarily driven. 7% 5% 12% 30% 18% 28% China Romania United States Bulgaria Russia Other slide 11

12 Attack Techniques Hacking 72% Malware 54% Social 32% Misuse 18% Physical Error 9% 1% 0% 10% 20% 30% 40% 50% 60% 70% 80% slide 12

13 % of ATO Where Funds Left the Institution 80% 70% 70% 60% 50% 40% 30% 32% 20% 10% 12% 9% 0% Source: 2012 FS-ISAC Survey (1/2 of 2012) slide 13

14 More Statistics 100% 90% 4% 14% 9% 9% 80% 70% 26% 65% 60% 50% 40% 82% 91% 30% 20% 10% No Monetary Transaction Transaction Stopped Funds Left Institution 0% Wires ACH Other Source: 2012 FS-ISAC Survey (1/2 of 2012) slide 14

15 Reasons for Decrease? Customer Education Temporarily shutting down affected online customer access Manual review of ACH/Wire transactions over a specific dollar amount Analysis of customer login patterns Interrogation of customer sessions to detect anomalous traffic slide 15

16 How Does ATO Work? Thieves mimic an institution s website Malware or viruses are installed on customers computers Social engineering attacks to gain login credentials slide 16

17 How Does ATO Work? Malicious document attached to an Links within an to an infected website Employees visiting legitimate websites and downloading infected/malicious files Introduction of other devices (flash drives) slide 17

18 Who Are The Players? Organized Criminals often overseas Commercial Customers usually a small business Financial Institutions Money Mules slide 18

19 The Criminals where they shop slide 19

20 What is a Money Mule? Someone who moves stolen funds from one account to another. Recruited via /phone/online Often out-of-work Scammer will say we found you on careerbuilder.com or some other job search site Offer work from home jobs with no prior experience slide 20

21 What is a Money Mule? Money mules receive the funds in their bank account. The money mule then forwards the funds to another account, usually overseas. They keep a small portion of the funds as payment. Most money mules only receive about $5K-$10K to transfer, so their fee is rather small. slide 21

22 How Does It Work Thief recruits money mule Money mule redirects funds Thief hacks customer account Customer realizes theft Institution processes wire/ach Thief submits wire/ach slide 22

23 Example #1 - Details When - January 2013 Institution - $1 billion community bank Customer - small business How - thief hacked customer slide 23

24 Example #1 - Details 1. Thief hacks company 2. s bank requesting acct. information 3. Bank s thief 5 acct # s w/ balances 4. Thief requests $7K wire transfer 5. Bank processes & sends wire slide 24

25 Example #1 - Result Bank contacted customer after-the-fact and learned request was fraudulent Contacted receiving institution and got a hold placed on funds Bank ultimately recovered the $7K.after 3 months slide 25

26 Example #1 Lessons Learned Bank didn t follow its own procedure Wire requests via were not allowed by institution policy Board more concerned with getting $7K back than with the breach. slide 26

27 Example # 2 Details When December 2012 Institution - $375 million community bank Customer municipality (pop. 15,000) How type of man-in-the-middle attack slide 27

28 Example # 2 Details City controller logged into online banking website and received a denial page. Thief on the other end now has login credentials. Submits two ACH transactions ($250K). Other city employee logs into online banking and approves both ACHs. After approving, went to talk with City controller. slide 28

29 Example # 2 Details City contacted the bank who did not process the ACH - no loss. ISO for the bank visits city offices to determine what happened. No firewall or anti-virus in use slide 29

30 Example # 2 Lessons Learned Bank needed to improve customer education initiatives Implemented call-back procedures on all transactions for this customer account. 3 months later, still no firewall / anti-virus City was in negotiations with a vendor slide 30

31 Example # 3 Details When - January 2012 Institution - $135 million community bank Customer - small business How - fraudulent fax request slide 31

32 Example # 3 Details Customer receives fax request from Equifax It really wasn t Equifax Request was for updated credit reference information, including bank references Customer supplied all data, including account numbers & faxed it back with a signature slide 32

33 Example # 3 Details Bank receives wire request from customer for a wire to Russia for $27,000. Bank checked signature on fax to signature card and processed the wire. No call-back procedures were performed. Customer had never wired to Russia before. slide 33

34 Example # 3 Lessons Learned Good customer - bank took the $27,000 loss Small town - bank worried about reputation Going forward bank began performing and documenting call-backs on any wire originated other than in-person slide 34

35 Example # 4 Details (Same bank as in Example #3) When - June 2012 (6 months later) Institution - $135 million community bank Customer - small business How - fraudulent ACH submission slide 35

36 Example # 4 Details Customer controller gets from U.S. Postal Service telling of an undelivered package. Clicks on a link and gets a variant of the Zeus Trojan virus installed on PC. Thieves successfully submit ACH payroll batch for $317K. slide 36

37 Example # 4 Results Bank customer was contacted by an IT security blogger and informed that their account was being taken over. Customer then contacted the bank which was able to retrieve almost $260K. slide 37

38 Example # 4 Lessons Learned Red Flags (per bank personnel) Normal ACH for this customer was $200K. Fraudulent ACH was submitted in the afternoon - normal for this customer was in the morning. Customer was normally an ACH debit customer, but this was an ACH credit batch slide 38

39 Example # 4 Lessons Learned After two attacks in six months, the bank: Hired a law firm to re-write all online banking agreements. Began performing and documenting call-backs on all wires other than in-person wires. Engaged a third-party software company to monitor the ACH batches for unusual attributes. Hosted a lunch-and-learn for their business customers concerning online security. slide 39

40 Who is The Weak Link? CUSTOMER slide 40

41 Why The Weak Link? Expertise Lack trained IT professionals Money Usually do not have the budget for the needed technology Education Users are not educated about the risks Audit Small businesses don t have IT audits/regulations slide 41

42 Recent Court Cases PATCO Construction Hacked into company network/stole online banking ID Series of wires and ACH 3 year legal battle Out of court settlement (Dec. 2012) Bank had to reimburse customer for loss of $345,000 slide 42 Choice Escrow, LLC Hacked into company network/stole online banking ID Single wire transfer 3 year legal battle Judge s decision (March 2013) Customer had to bear loss of $440,000.

43 Choice Escrow, LLC because the company is small, with only a handful of staff, we didn t choose to use the bank s dual control settings for ACH and wire transactions. (Choice Escrow s manager of business development) slide 43

44 Internal Controls Risk Mitigation Strategies for the FI Customer Education slide 44

45 Internal Controls Common Wire Transfer Internal Controls: Wire Transfer Policy Dual Control Rekey of Wire Dollar Amount Transaction Limits Customer Agreements Security Procedures Independent Reconciliation (Segregation of Duties) Internal Audit Coverage slide 45

46 Internal Controls Wire Transfer Policy Approved by the board annually, or when there are significant changes in the wire process, systems, etc. Should address the following: Wire software used; Types of wires (domestic vs. international, customer vs. non-customer); Use of security procedures & customer agreements; Approval of an administrator; and Wire limits. slide 46

47 Internal Controls Dual Control Usually controlled by the wire software. Be aware: on some systems you can disable dual control. Audit dual control by reviewing system parameters and history logs of previously initiated wires. Not an area of frequent examiner comments. slide 47

48 Internal Controls Transaction Limits The board of directors and/or senior management regularly reviews and approves funds transfer limits. (source: FFIEC Wholesale Payment Systems booklet p. A-6, Examination Procedures) Usually reviewed annually when approving the wire policy. Review your insurance policy to ensure the limits you set don t violate the policy. slide 48

49 Internal Controls Customer Agreements You need written agreements with your repeat wire customers. Usually only see these when wires are initiated by phone, fax or (not in person requests). Authoritative Sources FFIEC Wholesale Payment Systems Booklet (p.a-4) Insurance Requirements Uniform Commercial Code Article 4A (UCC 4A) slide 49

50 Internal Controls Customer Agreements Should: Describe the security procedures to be followed when verifying the authenticity of a wire request. Include waivers from the customer if they opt-out of the security procedures. Get customer signature. Establish cut-off times for receiving, transmitting, amending and cancelling wire transfer requests. Identify individuals authorized to request wire transfers. Define the methods by which a wire transfer request can be initiated (phone/fax/ ). slide 50

51 Internal Controls Security Procedures (as defined in UCC 4A-201) A procedure agreed to by the institution and the customer for the purpose of verifying a wire request is authentic. A security procedure may require the use of algorithms or other codes, identifying words or numbers, encryption, call-back procedures, or similar security devices. Comparison of a signature on a payment order or communication with an authorized specimen signature of the customer is not by itself a security procedure. slide 51

52 Internal Controls Common Security Procedures PINs or Passwords (phone requests) Call-back procedures (fax and requests) Documentation You should document performance of the security procedure (include date, time, customer name, what was confirmed, etc.) slide 52

53 Actual Bank Insurance Policy slide 53

54 Internal Controls Independent Reconciliation (Segregation of Duties) Wire administrator should not have wire create or verify capability (limits should be set to $0). Due from account used for wire settlement should be reconciled by someone independent of wire operations. May be difficult in some institutions due to limited staff. Supervisors should review reconcilements of funds transfer activity on a regular basis. slide 54

55 Internal Controls How to Combat the Internal Fraud Threat Perform background checks on employees in wire/ach departments Review access levels regularly (job transfers, terminations) No temporary employees in wire/ach operations Employees subject to unannounced rotation of responsibilities Review of employee accounts (deposit and loans) Consider the role of relatives within the institution slide 55

56 Internal Controls Internal Audit Coverage Who Performs It? Be sure you know what each group is reviewing. Be alert for overlap or redundant procedures. Consider expertise of the auditor. Internal Auditors IT Auditors State ACH Organizations Audit report should include the procedures performed. slide 56

57 Internal Controls Internal Audit Coverage What to Include? Funds transfer requests Customer agreements A thorough audit should include testing samples of transfer requests & customer agreements. Payment processing & accounting (reconciliations) Logical & physical security Contingency plans Segregation of duties slide 57

58 Internal Controls Pre-Audit Checklist Review status of findings from prior audits Review user access privileges & limits Be alert for terminated or transferred employees Ensure limits in the system agree to those approved If on FedLine, review audit logs on software Account for all customer agreements Review wire and ACH system parameters slide 58

59 Actual ACH Settings slide 59

60 Actual Online Banking Settings slide 60

61 Customer Education Customer Security Awareness What is your institution s biggest challenge to fraud prevention? 68% - Lack of Customer Awareness 1 The customer is an extension of the institution s security. Customer education is critical with today s threats. Customers aren t bankers or IT security professionals Faces of Fraud Survey, ISMG slide 61

62 Customer Education Customer Education Program Should Include: Explanation of protections provided and not provided. Discussion of when the institution may contact a customer and request electronic banking credentials. A suggestion that online banking customers perform a risk assessment and controls evaluation. List of alternative risk control mechanisms. List of institution contacts for customers with concerns about suspicious account activity or other events. slide 62

63 Customer Education Customer Education Opportunities: Lunch and Learn session with business customers and IT professionals. Some larger institutions are offering free anti-virus software for one year. Notes in statements or on online banking website regarding security. Newsletters / whitepapers in a fraud resource center See slide 63

64 Future Outlook / Threats More Sophisticated Attacks Attacks on Institutions Directly Mobile Devices slide 64

65 Questions? John David McLeod, CPA, CISA, CITP Manager Phone: (478) slide 65 Your company logo here