Online Cash Management Security: Beyond the User Login

Transcription

1 Online Cash Management Security: Beyond the User Login Sonya Crites, CTP, SunTrust Anita Stevenson-Patterson, CTP, Manheim February 28, 2008

2 Agenda Industry Trends Government Regulations Payment Fraud is Big Business Online Fraud Best Practices Reference Materials and Handouts 2

3 3 Industry Trends

4 Payment Methods Subject to Fraud in 2006 Industry Trends 100% 75% 93% 50% 35% 25% 17% 14% 5% 3% 3% 0% Checks ACH debits Consumer Credit Cards Corporate Purchasing Cards Consumer Debit cards ACH Credits Wire Transfers Source: 2007 AFP Payments Fraud Survey 4

5 Check Fraud Industry Trends Many organizations use fraud control services Many organizations have tightened internal controls to avoid financial loss. 42% of organizations that experienced at least one payments fraud attempt reported no losses from the attempt. 86% of survey respondents report that their organizations had adopted positive pay services prior to 2006 to protect against check fraud. Only 30 % used payee positive pay before

6 Industry Trends ACH Fraud Companies that experienced loss failed to use available services or to follow best practices. 1/2 of organizations did not use ACH debit blocks or filters 22% failed to reconcile their accounts or return fraudulent ACH debits on a timely basis Smaller organizations (< $1 billion in revenue) - were nearly 3 times as likely as larger organizations to have suffered losses resulting from ACH fraud. Source: 2007 AFP Payments Fraud Survey 6

7 Government Regulations Federal Financial Institutions Examination Council (FFIEC) issued a mandated guidance requiring all financial institutions to provide stronger online authentication methods Applies to both retail and commercial clients Does not endorse any particular technology Necessary for compliance with requirements to safeguard customer information to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft to promote the legal enforceability of their electronic agreements and transactions Source: Authentication in an Internet Banking Environment, FFIEC 7

8 Government Regulations Existing authentication methodologies involve three basic factors Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card); and Something the user is (e.g., biometric characteristic, such as a fingerprint) FFIEC guidelines require at least 2 factors to be used in authenticating clients as they login Source: Authentication in an Internet Banking Environment, FFIEC 8

9 Government Regulations Common solutions being offered by various financial institutions include Hardware or software tokens Biometric identification (e.g., fingerprints, voice, retinal) PC fingerprinting out-of-band approvals One-time passwords Smart cards Digital certificates Source: Authentication in an Internet Banking Environment, FFIEC 9

10 Checks Payment Fraud is Big Business In 2003, check fraud cost the industry $677 million American Bankers Association In 2004, check fraud exceeded $20 billion per year The Nilson Report Estimate that 1.2 million fraudulent checks are written everyday Office of the Comptroller of the Currency 10

11 Electronic Payment Fraud is Big Business The banking industry s losses from ACH fraud rose 62.5% in 2005 to $65 million Financial Insights Illicit wire transfers are easily hidden among the almost 1,000,000 mostly legitimate wire transfers that occur daily in the U.S. Brighterion Credit card fraud rose from $1.7B in 2000 to $2.7B in 2004 Celent Communications 11

12 Means of Access Payment Fraud is Big Business Key: Primarily Business Controlled Primarily Consumer Controlled Online Access - Primarily Consumer Controlled Some other way, 7% Misuse of data from an instore/onsite/mail/telephone transaction, 7% Stolen from a company that handles your financial data, 6% Taken by a corrupt business employee, 15% Company viruses, spyware, or hackers, 5% Phishing, 3% Online transactions, 0.3% Garbage, 1% From stolen paper mail or by fraudulent change of address, 8% By friends, acquaintances, relatives or inhome employees, 15% Lost or stolen wallet, checkbook or credit card, 30% Source: 2006 Javelin Research & Strategy Identity Fraud Survey Report 12

13 External Forms Online Fraud Phishing the use of fraudulent s or pop-up Web pages that appear legitimate and are designed to deceive a user into sharing personal or account information. Segmentation of US Banking Brands Attacked by Phishing From: Your Bank [mailto:serviceteam.refmt [email protected]] Sent: Monday, July 16, :43 PM To: John.Doe Subject: Your Bank Client Service Team: Notification! (message id: dz ) Dear Your Bank customer, Your Bank Client Service Team requests you to complete Online Cash Management Customer Form. This procedure is obligatory for all business and corporate clients of Your Bank. Please click hyperlink below to access Online Cash Management Customer Form. Thank you for choosing Your Bank for your business needs. Please do not respond to this . This mail generated by an automated service. =============================================================== =========================== Source: RSA Security 13

14 External Forms (cont d) Online Fraud Pharming occurs when hackers manipulate Internet mapping so that when you type in a legitimate Web address you are redirected to a fraudulent Web site without your knowledge. Spyware malicious software that can be loaded on your computer without your knowledge and used to capture user IDs and passwords as you access Web sites. Trojans malicious programs that pop up over login screens to collect online credentials with the information to be transmitted to the phisher for misuse. July 2007 was the 3rd highest month in the past year. The RSA Anti Fraud Command Center identified attacks against 15 institutions that it had not seen attacked before. 14

15 External Forms (cont d) Online Fraud Keyloggers programs that monitor web usage and collect login credentials from targeted sites including financial institutions. Man in the Middle a form of phishing in which the phisher positions himself between the user and the legitimate site. Messages intended for the legitimate site are passed to the phisher instead, who saves valuable information, passes the messages to the legitimate site, and forwards the responses back to the user. Source: RSA Security 15

16 Internal Forms Online Fraud Collusion Cooperation among two or more employees to commit fraud by embezzling funds. Unauthorized payment initiation Payments initiated using unauthorized account information disclosed either by phishing or internal employee access to online services, account or checks. Check stock theft Theft of check stock with the intent to cash checks to purchase goods and withdraw funds. Check alterations Fraudulent changes made to the amount or name on a check. 16

17 Company Controls Recommended Best Practices Online Cash Management Controls Reconcile accounts frequently Implement segregation of duties Define transaction limits Delete employee online user IDs as part of exit procedures Require monthly password resets with strong password formats Disable employee user IDs when on vacation or leave Remove unnecessary entitlements from employees Review activity reports daily 17

18 PC and Network Security Controls Best Practices Ensure all PCs are current with virus protection and are protected by firewalls Download & install security patches Do not divulge account information Do not divulge login information Beware of file sharing Encrypt your data Don t underestimate the need to educate employees on fraud awareness and prevention. 18

19 Best Practices Avoid setting up Super Users Set up at least 2 users for initiation and approval of online payments 19

20 Best Practices Segregation of duties creates a barrier to unauthorized payment initiation for phishers or internal employees by requiring a separate user to approve the payment Multi-factor authentication combined with segregation of duties provides the highest level of security offered commercially in the market today 20

21 Bank Controls Available Best Practices Automated alerts sent to multiple managers when unusual transactions occur Payment initiated above designated threshold Multi-factor authentication (something the user knows; something the user has) IP address and device restrictions Hardware or software tokens Smart cards Digital Certificates 21

22 Fraud Prevention and Detection Services Best Practices Positive Pay; Reverse Positive Pay; ACH Positive Pay ACH debit blocking Bank defined wire templates Payment initiation workflow that provides flexible control release capabilities Segregation of duties Fixed or dynamic approvals Payment amount limits 22

23 Reference Materials and Handouts Best Practices Checklist Sample RFP Questions Online Fraud Awareness and Prevention Flyer Reference Web Sites

24 Contacts Sonya Crites, CTP Group Vice President, SunTrust Anita Stevenson-Patterson, CTP Director of Treasury Operations & Patriot Compliance Officer, Manheim SunTrust Client Commitment: SunTrust will never send unsolicited s asking clients to provide, update, or verify personal or account information, such as passwords, Social Security numbers, PINs, credit or Check Card numbers, or other confidential information. SunTrust Bank, Member FDIC SunTrust Banks, Inc. SunTrust is a federally registered service mark of SunTrust Banks, Inc. 24