Payment Fraud Trends

Transcription

1 2013 CliftonLarsonAllen LLP Payment Fraud Trends How to Protect my Business Customers from Payment and Corporate Account Take Over CLAconnect.com

2 CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. Over 50 years of specialized Banking Advisory Services Audit & Tax Regulatory Compliance Information Security Internal Audit Outsourced IT Mgmt Consulting

3 What do the Following Have in Common? Mining company Electrical contractor Catholic church parish Rural hospital Health care trade association Collection agency Main Street newspaper stand Hospice Public School District Community bank On and on and on and on..

4 Norton/Symantec Corp The Cost Norton/Symantec Corp. Cost of global cybercrime: $114 billion annually Time lost due to cybercrime an additional $274 billion Cybercrime costs the world significantly more than the global black market in marijuana, cocaine, and heroin combined ($288 billion) Hackers go for the easy money Bank customers are much easier targets than the banks themselves

5 Ponemon Study(ies) The Cost Cost of data breach has declined from $214 to $194 Business Banking Trust Trends: Small businesses not changing their technologies or processes to keep up Small businesses are holding banks accountable for the security of their banking transactions Seventy-four percent of respondents say their businesses have experienced online banking fraud Often businesses learn about fraud before the bank notifies them In many cases, if funds are stolen banks are not reimbursing the business that was a victim of an attack These findings indicate that businesses are vulnerable to various forms of online fraud and, as a result, banks are at risk of losing their customers if they do not improve their fraud prevention practices

6 Banks vs. Customers In the Courts Bank Sues Customer $800,000 fraudulent ACH transfer - bank retrieves $600,000 = $200,000 lost Both bank and customer have responsibilities, who is at fault? Customer Sues Bank $560,000 fraudulent ACH transfers Funds wired to accounts in Russia, Estonia, Scotland, Finland, China and the U.S. and withdrawn soon after deposits were made Customer alleges the bank failed to notice unusual activity Until the fraudulent transactions were made customer had made just two wire transfers ever In just a three-hour period, 47 wire transfer requests were made In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated What are the bank s obligations versus the client s? Updated regulatory guidance should improve consistency of controls Court Cases Will Eventually Set Standard - Both parties accountable for risks

7 The Cost Cyber Crime Corporate Account Takeover Fraud 60 percent of small businesses will close within six months of a cyber security attack. - National Cyber Security Alliance

8 Preventing and detecting cyber crime How vulnerable are your customers to a cyber attack Very vulnerable when the proper security measures are not taken Cyber security is often and afterthought until an incident actually happens but by then it may be too late

9 Common Misconceptions about Cyber Fraud Hacking is not real! I d believe it if someone changed my computer wallpaper image! Someone who will remain anonymous It s not going to happen to us Famous last words of several organizations

10 How does it work? Methods of compromise Website hacking Malicious website Social Engineering phishing Rouge employee

11 How does it work? Phishing Harvest organization addresses Typically mass quantity attacks (shotgun approach) NACHA s Designed to appear realistic and/or from internal (trusted) sources.

12

13 Phishing and ACH Case Study Two December Finance person receives 2,000 spam messages Later in the day, fraudsters make three ACH transfers within 30 minutes: $8,000 to Houston Two transfers for $540,000 each to Romania In this case, business insists the following controls were not followed: Dollar limit/thresholds were exceeded Call back verification did not occur Lessons learned

14 Case Study Three mytimeufa.ru/images/nacha_paychange[.]ht ml

15 Case Study Three Employee clicked on a phishing appearing to come from the National Automated Clearing House Association (NACHA) Embedded link resolves to a Russian IP address Employee s internet banking credentials were compromised Employee s browser was injected with malicious HTML asking for additional confidential information when they visited the internet banking site Employee also received a call from supporting actor in the attack

16 Case Study Three Attacker initiated approximately $125,000 in fraudulent ACH transactions The weird call prompted the employee to call the bank and transactions were stopped Additional information: Employee indicated to IT that anti virus logs were reporting malicious activity the day before the malicious transaction activity Lessons learned

17 Phishing and ACH Case Study Four August 2012 January 2013 Bank customer (hospital) gets hacked/phished Two ACH payroll files totaling > $150,000 Lessons learned

18 2013 CliftonLarsonAllen LLP Key Defensive Measures CLAconnect.com

19 Key Defensive Measures Our focus is on customer awareness training because Customers LOVE to click on malicious s! Security falls on the back burner at many organizations...they want things to run! The human element is often the weakest link when it comes to information security It s cost effective

20 What s in a training program? Quality/Quantity vs. Annual Check-the-box approach Social media and website awareness prevents data and harvesting, limits clicking on malicious links Safe web browsing phishing identifying fake s Password management Proper technical security measures Reporting suspicious activity BTW be sure to listen to your customers Dual approval

21 What s in a training program cont Delivery methods In person training Lunch and learns Newsletters alerts Quick reference guides Website messages MAKE IT OBVIOUS! Not buried in a website Same principles can and should be applied internally

22 Key Defensive Measures Technical Security measures Firewalls Web traffic filtering (blocking bad sites) Intrusion detection systems Logging and alerting Anti-virus software Password enforcement Dedicated (isolated) systems for performing banking transactions Incident planning Be prepared. Think WHEN, not IF

23 Key Defensive Measures What about online banking? Layers of security Two factor authentication for business customers (at least two of the following: Something you know (username, password, questions) Something you have (token, smart card) Something you are Dual control Disable uncommon services Fraud alerting

24 Key Defensive Measures What about online banking cont Transaction templates Account and transaction thresholds Enforce strong passwords

25 Key Defensive Measures Security = Culture!! Security is a BUSINESS issue, NOT a technical issue!! Strategy: Administrative Policies / Procedures Physical Access Controls Technical Security Controls

26 Key Defensive Measures Test, Test, Test Belt and suspenders approach Penetration testing Internal and external Social engineering testing Simulate spear phishing Application testing Test systems at your bank Test internal processes

27 Summary Hacker trends Education communicate with your customers Risk assessment Administrative controls Monitoring and anomaly detection Communicate with your customers People Rules ` Tools

28 Questions? Hang on, it s going to be a wild ride!! Randy Romes, Partner Information Security Financial Institutions Randy.Romes@CLAconnect.com (612) Peter Storm, Senior Consultant Information Security Financial Institutions Peter.Storm@CLAconnect.com (612)

29 References FFIEC Authentication Guidance (2001) (2005) 11%20(FFIEC%20Formated).pdf (2011) Bank Info Security: FDIC ACH Advisories:

30 References Fraud Detection and Monitoring Solutions Guardian Analytics - FraudDesk Guardian Analytics - FraudMAP Easy Solutions Detect Safe Browsing Easy Solutions Detect Monitoring Service Jack Henry Banking Gladiator NetTeller ESM ICT Solutions Smart Fraud Monitoring ACH Positive Pay

31 Resources and References Privacy Rights <dot> org Resource for state laws Michigan company sues bank nk_over_theft_of_560_000_?taxonomyid=17 Bank sues Texas company

32 References to Specific State Laws Are there state-specific breach listings? Some states have state laws requiring breaches be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont, and Virginia. (Virginia s notification law only applies to electronic breaches affecting more than 1,000 residents) However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii, and Wisconsin. State laws: For details, see the Open Security Foundation Datalossdb website:

33 Risk Mitigation for Online Banking Review and understand bank supplied/required controls for electronic banking Review and understand the differences between wire transfer, ACH, and other methods of payment

34 Risk Mitigation for Online Banking Limit administrative control on banking account Do NOT use master account to perform standard banking activities Create segregation of duties and delegate responsibilities 1. Initiation/request 2. Authorization 3. Review (might be part of authorization might be independent review later)

35 Risk Mitigation for Online Banking Meet with insurance agent to understand what, if any, cyber liability coverage is in place or can be acquired Understand limitations and exclusions Perform risk analysis of (electronic) banking function at least annually - review the following: AV and anti-malware software function Patch/update management How do other roles/responsibilities/activities of staff interact/intersect with banking responsibilities

36 Risk Mitigation for Online Banking Consider having systems tested to ensure they are configured to operate securely (behave as expected) Firewall Wireless Servers Workstations/laptops/tablets Strongly consider the use of dedicated PC(s) for banking activities Stand alone PC NOT used for internet browsing, , or any other functions

37 Risk Mitigation for Online Banking Manually scrutinize payment activities on/around high volume times (i.e. payroll, month-end accounts payable activities, etc ) Implement positive pay features/functionality if available Pay for it if available Monitor/review your account(s) as frequently as possible (i.e. at least daily)

38 Risk Mitigation for Online Banking Follow good password practices DO NOT use the same password for banking that you use anywhere else Make banking password as long as the system will support and you can remember (think pass phrases)

39 Risk Mitigation for Online Banking Computer/system controls to implement: Enable automatic updating for operating systems and applications Ensure that Antivirus/Antimalware software is automatically updating every day Employ spam filtering service

40 Risk Mitigation for Online Banking Configure client software so that it does NOT automatically open/render/display imbedded graphics or pictures in messages Consider using personal/dedicated cellular MIFI cards for wireless internet access if banking must be done from laptops/portable devices Turn on system auditing and retain log files (consider hiring a consultant to ensure this is occurring properly)

41 Risk Mitigation for Online Banking Do NOT DO NOT Perform commercial banking activities from home/personally owned PCs DO NOT Perform banking activities from public use PCs/kiosks

42 Risk Mitigation for Online Banking DO NOT open attachments or links from unsolicited/unexpected messages claiming there is a problem with your account or there is a problem with your payment DO NOT provide information proving who you are (i.e. password, SSN, account numbers) to unsolicited callers or unsolicited The bank will NOT contact you in this manner