THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

Transcription

1 THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com

2 Overview The big picture: what does cybercrime look like today and how is it evolving? What are the principal cybercrime risks facing banks? Banking malware Other types of cybercrime directed at banks What can banks do to mitigate their cybercrime risks? What should banks do when an incident occurs? 2

3 The Big Picture Big-Picture Trends in the World of Hacking: Hacking is increasingly a business Development of hacker technology is well-funded and rapid Increasing focus on mobile platforms Robust underground market for hacker tools, services, and loot, and for handling financial transactions Less technical skill is required to pull off complex attacks Automation of hacking techniques has made it profitable to go after smaller targets who often have weaker security 3

4 The Big Picture A Few Sample Ads From the Underground: Source: Trend Micro, Russian Underground 101 : 4

5 The Big Picture 5

6 The Big Picture What are the principal sources of cybercrime threats? External threats Financially motivated hacker groups Hacktivists Economic espionage, often state-sponsored Cyberwarfare Internal threats Disgruntled or corrupt employees Departing employees Negligence 6

7 The Big Picture A Few Statistics From The 2013 Verizon Data Breach Report: 7

8 The Big Picture 2013 Verizon Data Breach Report: 75% of intrusions driven by financial motive 78% of initial intrusions rated as low difficulty 66% of intrusions took months or more to discover 2013 Ponemon Institute Cost of Data Breach Report for United States: $188 average cost per customer record breached $5.4 million average cost per breach Main causes of breach: Malicious attack 41% Employee negligence 33% System glitches 26% 8

9 Cybercrime Risks to Banks: An Overview Cybercrime specifically targeting banks: Malware compromising online banking platforms Debit card/atm fraud PCI data theft Compromises of loan verification systems Distributed Denial of Service attacks Cybercrime risks facing all businesses, including banks: Insider theft of money, data, and IP Data breach Compromise of business computers Also: Cybercrime as a credit risk 9

10 Banking Regulators and Cybercrime Comptroller of the Currency Thomas Curry, Sept 18, 2013: As important as it is to look back and deal with issues arising from the financial crisis, it is equally urgent that we look ahead and stay on top of emerging threats some of which have the potential to be as destructive of the financial system as the excesses of the mortgage and securitization markets. The particular issue I have in mind, and the one I want to spend the rest of my time on today, involves the operational risk posed by cyberattacks. FFIEC Supplemental Guidance on Authentication in an Internet Banking Environment (2011) SEC Guidance on disclosure obligations relating to cybersecurity risks and cyber incidents (2011) FFIEC Proposed Guidance on social media risk management (2013) 10

11 Banking Malware Typically installed through phishing attacks and visits to compromised web sites Connected to hackers through command and control servers, often hidden in compromised computers Pervasive 2012 Fire Eye study: on average, organizations experience a malware event once every three minutes Hundreds of banking malware variants, with many infecting millions of computers Common families of banking malware include Citadel, ZeuS, Spy Eye, Carberp, Gozi, Shylock, Gameover Increasingly targeting smaller businesses and smaller banks 11

12 Banking Malware What are common capabilities in banking malware? Fully control traffic to and from browser Collect login information and transmit to command and control server Take over or initiate on-line banking sessions without user s knowledge Identify highest value account and transfer fixed percentage or amount Alter designated recipient of authorized transfer Replace links and portions of pages served by browser with substitute content, including modifying account balances and transaction history displayed to user Automatically look up transferee account information in database of active mules Customized malware packages for different banks Evade detection by hiding location and activity on computer Search for and disable competing malware Block infected computers from visiting security sites Compromise multi-factor authentication 12

13 Banking Malware How do hackers compromise multi-factor authentication? Mobile phone malware intercepts texts sent to phones Software bypass of smartcard reader + PIN system Denial of Service attacks used as distractions Customer phones forwarded to hackers to thwart phone authentication 13

14 Banking Malware E One example: Eurograbber (2012) $37 million loss 30,000 customers 30+ European banks 14

15 Banking Malware E Distributed Denial of Service attacks as cover for malware schemes Prevent customers from accessing accounts Distract bank security resources OCC Guidance (12/2012) NCUA Guidance (02/2013) 15

16 Banking Malware E Who s left holding the bag after a banking malware attack? Losses in the hundreds of thousands, and even millions, are increasingly common from single attacks UCC (Art. 4A) protects banks from liability to business customers for fraudulently initiated transactions if: Bank and customer agree on a security procedure for verifying authenticity of transactions Bank s security procedure is commercially reasonable and Bank follows the security procedure What s commercially reasonable? Litigation increasing; courts just beginning to sort it out 16

17 Banking Malware E Patco v. People s United, 684 F.3d 197 (1 st Cir. 2012) Six unauthorized ACH withdrawals totaling $588,000 over week in 2009 Court: Bank s security system not commercially reasonable Relied on challenge questions (no multi-factor authentication) Questions asked for virtually all transactions Approach not tailored to customer needs Bank failed to monitor high-risk transactions Bank failed to notify customers when high-dollar, high-risk transaction pending Malware was a foreseeable risk 17

18 Banking Malware E Early lessons from banking malware litigation: Focus of legal analysis is almost entirely on the bank s conduct, not the customer s security precautions Customers lose when they turn down security measures offered by banks Banks can t rely on single approach to blocking fraudulent transactions Technology that was reasonable yesterday may not be reasonable tomorrow Some form of transaction monitoring and anomaly detection probably is inevitable 18

19 Other Cybercrime Directed at Banks E Hacking of payment card systems Gain access to pre-paid debit or credit card account information Alter withdrawal limits Coordinate withdrawal operations Often paired with DDoS and phone flooding attacks on banks Two recent public examples: 19

20 Other Cybercrime Directed at Banks E 20

21 Other Cybercrime Directed at Banks E 21

22 Other Cybercrime Directed at Banks E Hacking of bank computers used to initiate or authorize payments. Two recent public examples: 22

23 Other Banking Cybercrime Vulnerabilities E Knowledge-based authentication systems KBA systems used to score validity of credit applications Compromises of data brokers provide information needed to answer validation questions Large quantities of stolen personal data have been sold underground 23

24 Other Banking Cybercrime Vulnerabilities E Remote deposit capture applications: Deposit money order (remotely) Negotiate money order (in person) Withdraw funds from account 24

25 Other Banking Cybercrime Vulnerabilities E In addition, banks have all the same vulnerabilities as other businesses. Theft of proprietary information By employees By outsiders Data breaches not just PCI Customer data used for marketing purposes Employee data Computer compromises 25

26 Other Banking Cybercrime Vulnerabilities A note about extortion schemes: We have your data (or your network) give us your money.

27 Other Banking Cybercrime Vulnerabilities E Credit risk for borrowers Costs of cybercrime event can be disastrous, particularly for small and mid-sized businesses Is cyber risk assessment part of loan underwriting process? Are banks looking to see whether borrowers have appropriate cyber insurance policies? Merger & Acquisition due diligence increasingly encompasses cyber risk 27

28 Mitigating the Risk of Cybercrime The big-picture goals of reducing cyber risk: Make your computers and data harder to compromise Reduce the damage from a compromise by: Limiting the scope of a compromise by segregating sensitive data Reducing the time to detection To accomplish these goals, it is critical to: Identify someone in your organization with responsibility, authority, and resources to implement an effective security policy Regularly assess your security risks and the measures taken to meet them 28

29 Mitigating the Risk of Cybercrime Reducing the risk from banking malware Know your customer spot anomalous transactions Don t rely on off-the-shelf solutions without understanding, monitoring, and adjusting them Educate customers about their risks and your security offerings Educate employees about red flags indicating possible account compromise Monitor developments in malware and account takeover technology and tactics ACH Positive Pay 29

30 Mitigating the Risk of Cybercrime What can bank customers do to reduce risks from banking malware? Use a dedicated computer for banking, with limited access to non-banking sites and Avoid using a Windows computer Bookmark the bank s web site Use security tools offered by the bank, including multi-factor authentication ACH Positive Pay Require multiple authorizations for large wire transfers Be alert for signs of compromised authentication channels 30

31 Mitigating the Risk of Cybercrime E Simple steps banks can take to reduce the risk of a compromise of your data and systems: Encrypt data in motion and at rest Install software security patches regularly and promptly Train employees to avoid security threats Use robust passwords and change them; no default passwords Use multi-factor authentication for remote access by employees from outside the office, and for sensitive on-line accounts such as financial accounts and cloud storage of patient data Terminate dormant user accounts Use up-to-date virus scanning software Periodically audit compliance with data security rules 31

32 Mitigating the Risk of Cybercrime E Steps for reducing insider cybercrime and data breach risk: Create written employee conduct policies, including social media use policies Consider blocking the use of external storage devices and restricting internet sites that can be used to exfiltrate sensitive information Create tiered access to sensitive information not everyone needs access to everything Background checks for employees with access to sensitive information Employee exit procedures acknowledgement of post-employment obligations; termination of account access Dual controls for access to certain sensitive information and systems 32

33 Mitigating the Risk of Cybercrime E Reducing the risk of employee negligence: Good management of risks concerning malicious conduct will reduce risks associated with negligence Encryption Don t store data unnecessarily Data security policies and audits Employee training Audit compliance with data security rules 33

34 Mitigating the Risk of Cybercrime E Simple steps you can take to reduce the damage if (or when) a compromise occurs: Don t store data you don t need Know where your data is Create internal walls within your network to protect sensitive data Train employees to spot and report anomalies Monitor logs in your system to detect anomalies 34

35 Responding to a Cybercrime Incident E Responding to an incident legal and practical considerations: Develop an incident response plan Who is part of the response team inside and outside resources, counsel? When is the plan implemented? What actions need to be taken, and in what order? How will you take those actions? Do you know where your data is? Do you have adequate logging on your system? Train employees regarding the plan, and test the plan Review insurance coverage Review agreements with third parties who access your data 35

36 Responding to a Cybercrime Incident E When an incident happens: Preserve critical data quickly Know your in-house forensic capabilities before doing it yourself Conduct an internal investigation If you need law enforcement help with the investigation, reach out promptly Law enforcement involvement won t eliminate the need for an internal investigation, because what bank needs to know differs from what law enforcement needs to know If bank conducts its own investigation, it can choose not to waive privilege Grand jury secrecy rules limit what law enforcement is allowed to share with victims 36

37 THANK YOU strozfriedberg.com David Glockner