Online Banking Risks efraud: Hands off my Account! 1 Assault on Authentication Online Banking Fraud Significant increase in account compromises via online banking systems Business accounts are primary targets More money to steal Often associated with the money mule scam Consumer accounts Credit union accounts at corporate credit unions Cyber thieves use ACH or wire feature to transfer funds to accounts at other institutions Source: Financial Services Information Sharing and Analysis Center (FS-ISAC) at www.fsisac.com 2 Assault on Authentication Phishing Starts with a phishing attack Spear phishing Targets select group of employees at the same company Phishing emails sent to select employees at a company Whale phishing Targets a company s top executives Malicious software (malware) User s computer infected with Banking Trojan Open infected attachment Visit infected web site Referred to as drive-by-download Captures online banking login credentials 3 1
Assault on Authentication Man-in-the-Browser Attacks - Zeus User s web browser infected with Trojan (e.g., Zeus) Toolkit feature allows cyber thieves to target specific online banking web sites Trojan awakens when user visits a targeted online banking site Cyber thief piggybacks on the user s online banking session Modifies actions of user in real-time Transaction entered by user is modified by Trojan Dollar amount of transaction and destination account are changed without user s knowledge Can work independently of user Can login to online banking system using user s Internet connection Easily defeats the most common two-factor t authentication method offered by credit unions computer recognition via cookie and answers to challenge questions 4 Money Mule Scam Man-in-the-Browser Attacks - Zeus User logs into online banking system. Trojan wakes up when targeted online banking website(s) visited. Cybercook Password stealing Trojan sent as email attachment or link to infected website Mules withdraw money and wire to cybercrooks User enters transfers ACH or wires. MITB overwrites user s transaction changing dollar amounts and destination accounts. Funds are sent to the money mules 5 Man-in-the-Browser Attack Overwrites User s Transaction 6 2
Assault on Authentication In the News Articles from www.krebsonsecurity.com Article Date PC Invader Costs KY County $415,000 July 2009 Cyber Thieves Steal $447,000 from Wrecking Firm September 2009 Cyber Crooks Target Public & Private Schools September 2009 FBI Investigating Theft of $500,000 from NY School District January 2010 Cyber Crooks Cooked the Books at Florida Library January 2010 Hackers Steal $150,000 from Michigan Insurance Firm February 2010 IT Firm Loses $100,000 to Online Bank Fraud February 2010 NY Firm Faces Bankruptcy from $164,000 E-Banking Loss February 2010 Online Thieves take $205,000 Bite out of Missouri Dental Practice March 2010 Computer Crooks Steal $100,000 from Illinois Town April 2010 E-Banking Bandits Stole $465,000 from California Escrow Firm June 2010 Crooks Steal $600,000 from Catholic Diocese August 2010 Hackers Steal $600,000 from Brigantine, NJ October 2010 Sold a Lemon in Internet Banking (car dealer loses $63K) February 2011 FBI Investigating Cyber Theft of $139,000 from Pittsford, NY June 2011 ebanking Theft Costs Town of Eliot, ME $28K July 2011 ethieves Steal $217K from Arena Firm August 2011 7 Online Banking for Business Members More credit unions are offering online banking for businesses Fee based service Business online banking Bill pay ACH High Risk Wire transfers Transactions Increases risk to credit unions Businesses carry higher deposit account balances which means more money to steal Business line-of-credit loans 8 Loss Scenario Phishing Credit union members phished Provided account numbers and online banking passwords Multiple ACH transactions using account-toaccount transfer service (A2A) sending funds to other financial institutions Initially, all accounts set-up on online banking can use A2A feature Hackers activated A2A by clicking on the I agree button to the A2A agreement Large dollar transactions allowed Credit union now restricts A2A feature to members who enroll Members must qualify for A2A Implemented monetary and frequency limits 9 3
Loss Scenario Bill Payer Business member s account set-up for online banking by fraudster through credit union web site Similar losses involved setting up member s account on online banking based on phone call from fraudster Weak attempt to authenticate the member Fraudster activated bill payer Access granted simply py by clicking the I agree button to bill pay agreement/disclosure Weak or no attempt to authenticate the member No controls in place to validate new payees Inadequate monetary limitations Large dollar bill pay transfers to accounts at other financial institutions Loss exceeded $600,000 10 Loss Scenario Banking Trojan Member s computer infected with banking Trojan Fraudster obtains account number, username, and online banking password Challenge/security questions when member s account is accessed from a different computer Fraudster had the answers to challenge/security questions using the banking Trojan Fraudster used bill payer to move funds out of the account Member never used bill pay Fraudster activated bill pay simply by clicking the I agree button to bill pay agreement/disclosure No controls to validate new payees 11 Loss Scenario 3 rd Party EFT System Attack Banking Trojan captured credit union employee s username and password for corporate credit union EFT system Corporate account accessed from different IP address Fraudster successfully answered challenge questions Over 100 ACH credits entered into system over 2 day period Loss exceeded $1 million 12 4
Authentication Options Something you know Password Challenge questions Something you have IP Address (pc recognition) USB token Smart card Password-generating token Something you are Biometrics MITB Attacks have rendered what was once considered strong multifactor authentication ineffective 13 Online Banking Credit Union Loss Controls New members should not automatically be set up on online banking and audio response systems May violate Reg E Online banking passwords/audio response PINs are considered an access device under Reg E Cannot issue access device without a request from the member Adopt strong authentication measure to verify identity of members who enroll for online banking via credit union s web site Implement strong online banking password controls Grant transaction capabilities only upon request Implement reasonable dollar and frequency limits Lets not make it easy for fraudsters 14 Online Banking Controls Password Security Reduce the risk of guessing passwords Don t issue in recognizable pattern Last 4 digits of SSN Birth date System generated random passwords 7 to 9 characters long Case sensitive Alphanumeric Use special characters (e.g.,! @ # $ &) Mail to member in PIN mailer using address of record Make sure address has not been changed in last 30 days Email (encrypted) to member using email address provided at account opening Make sure email address has not been changed in last 30 days 15 5
Online Banking Controls Password Resets Don t reset password based on phone request under any circumstances Fraudsters have too much information Data mining techniques One of the easiest ways to take over member accounts Generate another random password Mail to member in confidential mailer using address of record Email (encrypted) to member using email address provided at account opening Make sure mailing address/email address have not been changed in last 30 days 16 Online Banking Payment Services Don t allow immediate access to payment services requested Authenticate members requesting access to online banking payment service bill pay, ACH and wires Implement an enrollment process Send member email using email address provided at account opening for confirmation Challenge questions Implement monetary and frequency limitations for all payment services offered on online banking Failure to do so increases risk of large losses Bill pay Confirm new payees with member Send email to member using email address provided at account opening Fraud monitoring system Access behavior Transaction monitoring Implement out-of-band transaction ti verification for large dollar transfers 17 Loss Controls 3 rd Party EFT Systems Use strongest form of authentication offered by vendor Usernames, passwords, challenge-response questions are being compromised Token device IP address restriction Restricting credit union s IP address is not foolproof as IP addresses can be spoofed If offered, restrict days and hours to access ACH and wire systems Dual control requirements Data entry vs. verification/authorization Establish monetary limits Validation & confirmation process for transfers exceeding a specific dollar amount Restrict credit union computer used to access third party EFT system Dedicate for this purpose No personal email access Prohibit web surfing Use bootable operating system Stored on external media like a flash drive Software program Do not allow telecommuters to access EFT system using home computer 18 6
FFIEC s Updated Authentication Guidance The Federal Financial Institutions Examination Council (FFIEC) issued updated authentication guidance on June 28, 2011 Reinforces and stresses the importance of performing periodic risk assessments Adjust authentication controls as appropriate Financial institutions must review and update risk assessments To reflect changes in the threat environment; Prior to implementing a new electronic service; or At least every 12 months Multifactor authentication for high risk transactions Implement layered security controls Multiple controls implemented at various points in the transaction process If one control is compromised, there are others in place to detect and prevent fraudulent transactions Examiners will start reviewing online banking controls under the updated guidance starting in January 2012 19 FFIEC Updated Authentication Guidance Types of Layered Security Controls Fraud monitoring system to detect and effectively respond to suspicious transactions Out-of-band authentication Out-of-band transaction verification Monetary and frequency limits Techniques to limit the use of the account such as ACH debit blocks Restrictions on the days and hours of access Internet Protocol (IP) reputation-based tools to block connection to online banking servers from IP addresses known or suspected to be associated with fraudulent activities Enhanced controls over account maintenance changes initiated by customers through the online banking channel or through the call center Enhanced customer education 20 FFIEC Updated Authentication Guidance FFIEC s Minimum Expectations for Layered Security Controls Fraud monitoring system Enhanced administrative functions for business accounts The ability to set-up multiple users and assign specific levels of authority to each user; The ability to set-up monetary limitations for each user who is authorized to initiate payments and transfers initiated through bill pay, ACH, and wires; The ability to establish dual control requirements for initiating payments and transfers initiated through bill pay, ACH and wires; The ability for the administrator to receive activity reports from transaction logs for reporting purposes; and The ability for the administrator to receive account maintenance reports to assess the validity of any maintenance changes. 21 7
Online Banking for Business Members Offer strong multifactor authentication method due to the increased risk Not just passwords and challenge questions Out-of-band authentication Allow businesses to set-up multiple users Ability to assign specific levels of authority to each user Allows businesses to set-up internal controls Offer dual control capability for transfers Prevents one employee from entering and approving transfers Fraud monitoring solution User access behavior Individual transactions Out-of-band transaction verification Large dollar transfers 22 Mobile Banking (Who s in Your Mobile Wallet?) 23 Mobile Banking - Risks Same risks as online banking with a personal computer Phishing, smishing and vishing Viruses Malware such as Trojan keyloggers Lost handsets SMS text messages not encrypted Applications infected with viruses/malware 24 8
Mobile Banking Three Platforms SMS (Short Message Service) text messages WAP (Wireless Access Protocol) / Browser based web enabled mobile phone Downloading a dedicated application to cell phone 25 Mobile Banking SMS Short Message Service Uses popular text-messaging standard Used mainly for checking account balances No guarantee that the message sent will be received Least secure method of mobile banking Messages sent in clear text format No end-to-end protection (messages not encrypted) Should not be used for transfers to 3 rd parties Text messages should not contain account numbers or other sensitive information 26 Mobile Banking WAP Wireless Access Protocol Uses similar concept as online banking via personal computers Login credentials stored on device is a concern 27 9
Mobile Banking Downloadable Applications Requires user to download application (app) May cause the greatest risk Google s Android Market plagued by fraudulent apps Discovered in December 2009 Members may download free apps containing malware Risk mitigation Require members to only download signed applications, or Require members to download application from a trusted source, such as credit union s website 28 Mobile Banking Best Practices Credit Unions Due diligence in selecting mobile banking platform and vendor Require secure socket layer 128 bit encryption Download online banking applications from trusted sources Out-of-band authentication Out-of-band transaction verification Implement fraud monitoring Monitor user access behavior Monitor individual transactions Don t allow new payees to be added through mobile banking channel Require strong passwords Don t allow members to change password via mobile device 29 Mobile Banking Best Practices - Members Password protect the mobile device Report lost/stolen mobile devices immediately to the carrier Carrier will deactivate phone Frequently delete messages received from financial institutions Do not modify device Important security features may be disabled Device may become susceptible to a virus or Trojan Install mobile security software All the big vendors offer antivirus solutions for mobile devices Download apps only from reputable sites Require members to download required applications from the credit union s website Monitor accounts on regular basis 30 10
Questions & Answers Ken Otsuka, CPA Senior Consultant - Risk Management CUNA Mutual Group Email: kenneth.otsuka@cunamutual.com RM-EFRAUD-1010-(0411) 31 Disclaimer This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. For general information, please contact our company Sales Executive. The Credit Union Bond is underwritten by CUMIS Insurance Society, Inc., a member of the CUNA Mutual Group. Credit Union Loss Scenarios - Case Studies These claim examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language. 32 33 11