Fraud Prevention Tools: Best When Used As Directed

Transcription

1 February 2012 Fraud Prevention Tools: Best When Used As Directed Table of Contents EXECUTIVE SUMMARY Making the right tools and practices work...2 Holistic approach...2 Impact...3 Fluid situation...4 Fraud insurance...4 Conclusion How fraud-savvy are you?...5 Fraud prevention, while not rocket science, does require both rigor and revisiting. As Milton Santiago, Portal and Treasury ecommerce Executive at Bank of America Merrill Lynch explains, careful compliance with a comprehensive prevention checklist coupled with thorough employee education (and regular updates to both these measures) will go a long way towards keeping your corporation from harm.

2 Fraud Prevention Tools: Best When Used As Directed 2 Most successful fraud schemes take advantage of human nature; for every highly sophisticated technological exploit, there are probably hundreds of more lucrative and far simpler frauds that take advantage of a completely preventable human lapse in security. As a result, those organizations prepared to leverage their banks existing secure processes/technology, with a modest investment of their own in anti-fraud measures and employee education, will enjoy a robust return and a quieter life. Making the right tools and practices work The key to fraud prevention tools and secure processes is proper usage. Banks can put the most robust technology and processes in place, but they cannot directly control the way in which clients use them. For example, if a company s personnel chooses convenience before security and leaves passwords/pins on slips of paper laying around, even the best security technology processes are powerless. Similar situations can also arise at a corporate policy level; a case in point are companies that persist in using applications or web browsers that are both obsolete and known to be inherently insecure. They may be doing so to save the costs of rolling out a new application, or simply for convenience; whatever the reason, the end result could be a fraud event. By contrast, the organization that properly uses the recommended applications to interact with their financial institution is already taking the first steps towards a more secure (and less eventful) future. Holistic approach...the organization that properly uses the recommended applications to interact with their financial institution is already taking the first steps towards a more secure future. yfront-door security is akin to locks/bolts on a front door and consists of measures such as passwords, digital certificates and tokens. Additional measures can include keeping a record of an individual s PC and how they typically transact online. Any departure from established patterns (such as connecting from a different computer) can then be used to trigger an additional security question in the authentication process. yprocess and review based controls are designed to work closely with frontdoor security and focus on early detection of fraud through measures such as daily reviews of audit logs for suspicious log-ins and transaction activity. Other aspects include keeping user ID and password administration up-to-date and being responsive to personnel changes by immediately revoking credentials for employees who have been transferred or left the company.

3 Fraud Prevention Tools: Best When Used As Directed 3 ytransactional controls provide additional layers of security and identification processes that relate to the actual activity being undertaken by client personnel. The lowest level might apply to clients researching public information or viewing non-editable content, while a middle layer would apply for those retrieving material such as confidential reports or check images. The highest level would apply to payments and include segregation of setup and authorization activities, one-time authentication codes and dual authorization. The stringency of these measures will typically be graduated according to the size of payment involved. yemployee education (if inadequate) is the potential show stopper that can completely negate the value of the preceding three security components, as insecure employee behavior can render even the most stringent security protocols useless. For this reason, it is also the area where professional fraudsters will target most of their efforts. Therefore, the maximum focus is required on this mission-critical area, which must not only provide specific examples and relevant case studies during the training process, but also attempt to instill a security aware mindset. Impact When discussing fraud, it is common for corporations to focus only on the immediate financial consequences. While these can of course be severe, there are far wider implications to a fraud incident that can have a more enduring and potentially damaging impact. Reputational risk is perhaps the most obvious and can take many guises. A major fraud with a publicly cited loss figure may prompt some suppliers to reassess a company s financial stability, which can result in the withdrawal/ reduction of credit facilities. However, there is a broader and potentially even more pernicious problem here. If a company suffers a security lapse, all organizations that do business with it are at risk of suffering the consequences of any data breach. Trading partners will be concerned that details of their transaction patterns and other confidential information may also have been stolen and that these can then be exploited by fraudsters to initiate targeted attacks on themselves. This domino effect can be further exploited by fraud techniques such as spear phishing....there are far wider implications to a fraud incident that can have a more enduring and potentially damaging impact.

4 Fraud Prevention Tools: Best When Used As Directed 4 Fluid situation One of the most vital things to appreciate about fraud prevention is that it can never be static. The ways in which fraud is committed is continually shifting in response to opportunities arising from changing corporate business models and technology. Professional fraudsters are always tracking these changes and looking to exploit them. For example, if a company announces it is opening an office in a new country, this immediately alerts fraudsters to a number of possible opportunities, including: The ways in which fraud is committed is continually shifting in response to opportunities arising... ythe lack of established security procedures in the new office yinexperienced personnel yinsecure, untested temporary IT infrastructure ynew patterns in payment traffic making any anomalous transactions harder to detect Similar fraudulent opportunities arise from the slow adoption of new standards. The use of outdated browsers or operating systems that are no longer supported by the technology provider, create unnecessary risk and provide a potential opening for fraudsters who know how to exploit them. Fraud insurance The risk of fraud has not gone unnoticed by the insurance industry, which now offers electronic fraud and cyber risks insurance policies. However, the vital point here is that this should be the final corporate safety net not the frontline protection. As with auto insurance, this is for covering situations completely beyond an individual or organization s direct control, not providing an excuse for inaction. Nevertheless, fraud insurance can play a valuable role in an integrated security process in conjunction with robust banking infrastructure and corporate best practice. Conclusion Keeping your fraud experience reassuringly tedious isn t high-tech, but it does require ongoing effort. Your bank should be able to assist you in putting together a fraud checklist that will mesh effectively with its banking platform and client communication channels. Corporations that invest effort in complying with this checklist, and also invest in up-to-date business technology, should be wellplaced to minimize fraud.

5 Fraud Prevention Tools: Best When Used As Directed 5 How fraud-savvy are you? Do you... yemploy a stand-alone, hardened or completely locked down computer ytrain your workforce on suspicious s yactively manage firewalls yprohibit shared usernames and passwords yuse a different password for each website that is accessed yprohibit sharing usernames with third-party vendors ylimit administrative rights yinstall commercial anti-virus and desktop firewall software yensure virus protection and security software are updated monthly yensure computers are patched regularly yconsider installing spyware detection programs yclear the browse cache before starting an online banking session yverify use of a secure session (https not http) yavoid using automatic login features on websites yhave policies prohibiting computers from being left unattended yrestrict access to online financial information to pre-approved and protected locations yunderstand how to use all security tools available yknow that you should immediately notify financial institutions of suspicious activity For example, if Company A suffers a financial security breach, the fraudster may also have gained access to other material such as its traffic. If the fraudster knows that an individual at Company A regularly s a particular individual at Company B, they can tailor a bogus communication to that second individual. Because that person will recognise the Company A sender s name, they will be more likely to unthinkingly open any (malicious) attachment. Bank of America Merrill Lynch is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ( Investment Banking Affiliates ), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and members of FINRA and SIPC, and, in other jurisdictions, by locally registered entities. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured May Lose Value Are Not Bank Guaranteed Bank of America Corporation AA-AH-0168ED