Protect Yourself Against Fraud

Transcription

1 Protect Yourself Against Fraud You ve probably heard in the national media recently about a number of well-publicized credit and debit card thefts. Scary? Yes. Should this concern you? Yes. But you and your bank should be partners in spotting and preventing fraud. Learn what banks do and what you can do to actively fight debit card fraud, account takeovers and check fraud. Cape Cod Five is offering a series of three seminars, at our Dennis and Hyannis branches and online, to provide you with the tools you need to help prevent fraud. Space is Limited. Please RSVP to rsvp@capecodfive.com Hosted by CJ Conrad, SVP, Chief Customer Experience Officer and Diane Rowlings, VP and Security Officer

2 Register today for our Fraud Education Workshops Don t Be a Target: How banks and consumers partner to protect against fraud Join us for an insightful and informational one-hour seminar that provides insight into some of the well-publicized debit and credit card thefts reported in the national media. We will also explain the new chip technology and how it will help. Hyannis Branch Community Room, 171 Falmouth Rd. (Route 28) Thursday, March 6, 5:30 6:30 p.m. Dennis Branch Board Room, 688 Main St. (off Route 134) Thursday, March 13, 5:30 6:30 p.m. The Hype and Reality: Best Practices for Digital Banking Hyannis Branch Community Room, 171 Falmouth Rd. (Route 28) Thursday, April 3, 5:30 6:30 p.m. Dennis Branch Board Room, 688 Main St. (off Route 134) Thursday, April 10, 5:30 6:30 p.m. Webinar Thursday March 13 12:30-1:30 p.m. Have you ever considered that online banking might be safer than traditional banking? In this hour-long seminar we will share the basics of online banking, what banks are doing to protect your accounts and money online, as well as best practices. Hyannis Branch Community Room, 171 Falmouth Rd. (Route 28) Thursday, March 20, 5:30 6:30 p.m. Dennis Branch Board Room, 688 Main St. (off Route 134) Thursday, March 27, 5:30 6:30 p.m. Fraud on Cape Cod? Understanding Check Fraud Schemes Webinar Thursday March 20 12:30-1:30 p.m. Diane Rowlings, Vice President and Security Officer at Cape Cod Five, will join this seminar to present real stories of real scams that have been attempted on Cape Cod. You ll hear about the top five scams we ve seen this year, and how to not fall victim to them. Webinar Thursday April 3 12:30-1:30 p.m.

3

4

5

6

7

8

9 Federal Agency Resources to fight back against identity theft The federal trade commission website provides detailed information on the prevention and detection of identity theft as well as resources on what to do if your identity is stolen. The consumer protection agency website provides information as well as tips for filing a complaint. Federal Trade Commission: Consumer Action: National Fraud Information Center: Consumer Resources The consumer resources that are available on this government website list local, state, and federal agencies, major trade association, and consumer groups. Consumer Financial Emergency Survival Kit: Consumer Protection Publications: Opt-out of prescreened credit or insurance offers: OnGuard Online-Spyware: Internet Scams Phishing is a form of online identity theft that lures consumers into divulging their personal financial information to fraudulent web sites, also known as spoofed web sites Vishing is a new form of internet fraud out there these days: it is called Vishing. Not to be confused with the basic phishing scams, vishing involves the use of Voice over Internet Protocol (VoIP)

10 Check Fraud How to recognize check fraud Mail Fraud The United States Postal Service provides information and articles on how to identify scams that come in the mail is another way that consumers are targeted with offers that look like it is from a trustworthy source in order to capture your information. Telemarketing Scams How to avoid do not call scams. Credit Reports Annual Credit report website allows you to obtain one free credit report each year from all three credit reporting agencies. Stagger the year and review your credit report 3 times a year

11 Attack on Vendor Set Up Breach at Target The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. Last week, KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa. Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel a password-stealing bot program that is a derivative of the ZeuS banking trojan but that information could not be confirmed. Through a PR firm, Fazio declined to answer direct questions for this story, and Target has declined to comment, citing an active investigation. In a statement (PDF) issued last week, Fazio said it was the victim of a sophisticated cyber attack operation, and further that our IT system and security measures are in full compliance with industry practices. There is no question that, like Target, Fazio Mechanical was the victim of cybercrime. But investigators close to the case took issue with Fazio s claim that it was in full compliance with industry practices, and offered another explanation of why it took the Fazio so long to detect the malware infection: The company s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware. To be clear, Malwarebytes Anti-Malware (MBAM) free is quite good at what it s designed to do scan for and eliminate threats from host machines. However, there are two problems with an organization relying solely on the free version of MBAM for anti-malware protection: Firstly,

12 the free version is an on-demand scanner that does not offer real-time protection against threats (the Pro version of MBAM does include a real-time protection component). Secondly, the free version is made explicitly for individual users and its license prohibits corporate use. Fazio s statement also clarified that its data connection to Target was exclusively for electronic billing, contract submission and project management. The company did not specify which component(s) of Target s online operations that Fazio accessed externally, but a former employee at Target said nearly all Target contractors access an external billing system called Ariba, as well as a Target project management and contract submissions portal called Partners Online. The source said Fazio also would have had access to Target s Property Development Zone portal. According to a former member of Target s security team who asked not to be identified, when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But how would the attackers have moved from Target s external billing system into an internal portion of the network occupied by point-of-sale devices? The former Target network expert has a theory: I know that the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application, the source said. Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I m sure the Ariba system was no exception. I wouldn t say the vendor had AD credentials but that the internal administrators would use their AD login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another. Last week s story about Fazio s role in the attack on Target mentioned that Target could be facing steep fines if it was discovered that the company was not in compliance with payment card industry (PCI) security standards. Among those is a requirement that merchants incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties. Another source who managed Target vendors for a number of years until quite recently said that only in rare cases would Target have required a vendor to use a one-time token or other twofactor authentication approach. Only the vendors in the highest security group those required to directly access confidential information would be given a token, and instructions on how to access that portion of the network, the source said, speaking on condition of anonymity. Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.

13 But according to Avivah Litan, a fraud analyst at Gartner, Target wouldn t have needed to require vendors to use two-factor logins if the company believed it had taken steps to isolate the vendor portals from its payment network. In fairness to Target, if they thought their network was properly segmented, they wouldn t have needed to have two-factor access for everyone, Litan said. But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation. OPEN-SOURCE INTEL Many readers have questioned why the attackers would have picked on an HVAC firm as a conduit for hacking Target. The answer is that they probably didn t, at least at first. Many of these malware attacks start with shotgun attacks that blast out far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff. But Target may have inadvertently made it easier for the attackers in this case, in part by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. Indeed, many of these documents would be a potential gold mine of information for an attacker. Here s an example that just happens to be somewhat specific to HVAC vendors: A simple Google search turns up Target s Supplier Portal, which includes a wealth of information for new and existing vendors and suppliers about how to interact with the company, submit invoices, etc. That page leads to a separate page of information on Target Facilities Management, which includes a slew of instructions on submitting work orders. That page also includes a link to another set of resources: A Supplier Downloads page that, oddly enough, is little more than a long list of resources for HVAC & refrigeration companies. What could an attacker learn from this information? For starters, download any of the Microsoft Excel files listed at that page. Then scan the file with a free online service (like this one) that extracts metadata from submitted files. Scanning the file FM_HVAC_Oct_2011_Summary.xlsx from the Supplier Downloads Page, for example, tells us that the file was created in June 2011 with a copy of Microsoft Office 2007 licensed to Target Corp. That metadata also indicates the file was created or last edited by a person with the Windows username Daleso.Yadetta, and that it was most recently printed to a system on Target s network in the following Windows domain: \\TCMPSPRINT04P\ Getting the layout of the various Windows domains within Target s internal network would certainly help the attackers focus their attention. For example, consider what we know about a key piece of the malware known to have been used in the Target intrusion, first referenced in a story on Jan. 15, Investigators who examined the malware quickly noticed that it was designed to move data stolen from Target s (then malware-infected) cash registers to a central collection point on Target s network, a Windows domain called \\TTCOPSCLI3ACS\.

14 Investigators believe ttcopscli3acs wass the name of the Windows domain used by the POS malware planted at Target stores. A little Googling shows that Target operates two data centers, both in Minnesota: Target Technology Center or TTC for short is located in Brooklyn Park, Minn. on one of the company s corporate campuses. The company also operates a redundant data center Target Technology Center Elk River (TTCE) in Elk River, Minn. as a backup. It s a good bet that the server referenced inside the malware used in the Target breach resided within the company s Brooklyn Park facility. You may also like: Target Hackers Broke in Via HVAC Company New Clues in the Target Breach A Closer Look at the Target Malware, Part II Who s Selling Credit Cards from Target?

15 Cape Cod Five Cents Savings Bank Consumer Online/Mobile Banking Best Practices General Controls Use a strong password; at least 10 characters combining upper case and lower case letters, numbers and symbols. Upon logging in, confirm your last sign-on date on the Cape Cod Five Online Banking welcome page (Online Banking Only). Establish the lock or passcode feature on your mobile device. This will help ensure that, in the event your device is stolen, no one will be able to access your device. Do not use account numbers when providing nicknames for the account. Limit where you login and never login at a public or unsecured computer. It is recommended that you use a dedicated computer reserved solely for performing activities related to Cape Cod Five Online Banking (e.g. no , web browsing). Ensure that your virus protection, firewall, and operating system are updated and patched. Setup and regularly review alerts and notify the Cape Cod Five if you don t recognize specific transaction activity. (See full alerts list below) Bill Payment The Bank has set a daily transaction limit for the bill payment service to provide an additional level of security. Stay on top of your bill pay activity by reviewing payment history on a regular basis. A bill payment transaction report will show payments made in historical order with the most recent payments appearing first. Setup and regularly review alerts and notify the Cape Cod Five if you don t recognize specific transaction activity. (See full alerts list below) Alerts (received via or text message) Service Alerts o Password, User ID, and contact information changes o User ID locked out o estatement notifications o New Account added o New external transfer account added Account Alerts o Account balance notifications (daily or weekly) o Balance above/below threshold Page 1

16 o Transfers processed or failed o Specific check # processed, specific deposit amount processed ATM/Check Card Alerts o Card status changes o Transaction above specific amount o Transaction declined o Transaction processed as card not present o o Transaction processed out of state or in another country Transaction is suspicious (relates to real-time analysis of your card activity compared to your usual behavior) Bill Payment Alerts o Automatic payment scheduled o Account related issues o ebill notifications o Payee additions or changes o Payment processed or failed o Payment reminders Page 2

17 General Controls Cape Cod Five Cents Savings Bank Business Online Banking Security Best Practices Incorporate Crime Insurance coverage into your existing insurance policy. Ensure that your virus protection and firewall are updated and patched. When you or your staff log in, confirm your last sign-on date on the Business ebanking welcome page. This provides a quick check that the last log in was an authorized one. Never use account numbers as account nicknames. Keep account numbers confidential. Follow secure password procedures: never use phone numbers, birthdates, or other obvious phrases and don t leave passwords out in the open near your computer. Do your business banking only on your own secure computer. Don t use a public network or a public computer for your business. Register your business computers so you won t need to answer challenge questions on subsequent logins. Secure token sign-on provides a higher level of security when logging in. You must use secure token sign-on if you process ACH or Wire transactions. If you want to use token sign-on for all transactions, let us know and we will set it up for you. Establish multiple approvals to create a set of checks and balances. You can limit access to employees who can only create an ACH or Wire transaction versus other employees who have access to transmit and finalize the transactions. Setup and regularly review alerts, either through or SMS text on a mobile device, and notify the Cape Cod Five if you don t recognize specific transaction activity. (See full alerts list below) Bill Payment The Bank has set a daily transaction limit for the bill payment service to provide an additional level of security. Stay on top of your bill pay activity by reviewing payment history on a regular basis. A bill payment transaction report will show payments made in historical order with the most recent payments appearing first. Setup and regularly review alerts and notify the Cape Cod Five if you don t recognize specific transaction activity. (See full alerts list below) Note: Some of the alerts may not apply depending on the services that are enabled (i.e. ACH or Wire capabilities) Alerts (received via or text message) Service Alerts o Password, User ID, and contact information changes; sub-user phone number changed o User ID locked out Page 3

18 o Sub-user additions or changes; sub-user addition awaiting approval o New Account added; closing of an account o Updated/changed user rights o Wire file upload complete with errors o ACH file upload pending approval Account Alerts o Account balance and activity alerts (checks presented, credits/debits posted, max/min balances) o Transfers and payments ACH pending approval ACH template activity and template pending approval Transaction failed o Statements and/or Documents available (i.e. estatements) o Wire transfer alerts Outgoing wire status changes Wire transfer pending approval Wire template activity and template pending approval Wire deleted or returned with errors Bill Payment Alerts o Automatic payment scheduled o Account related issues o ebill notifications o Payee additions or changes o Payment processed or failed o Payment reminders Page 4

19

20

21

22

23

24

25

26

27