Questions You Should be Asking NOW to Protect Your Business!

Similar documents
Best Practices: Reducing the Risks of Corporate Account Takeovers

Don t Fall Victim to Cybercrime:

Preventing Corporate Account Takeover Fraud

Remote Deposit Quick Start Guide

Protecting your business from fraud

Corporate Account Take Over (CATO) Guide

Your security is our priority

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

NATIONAL CYBER SECURITY AWARENESS MONTH

IT Security Risks & Trends

Best Practices Guide to Electronic Banking

Business ebanking Fraud Prevention Best Practices

Online Cash Manager Security Guide

Top Fraud Trends Facing Financial Institutions

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Retail/Consumer Client. Internet Banking Awareness and Education Program

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Network/Cyber Security

The information contained in this session may contain privileged and confidential information. This presentation is for information purposes only.

TRAINING FOR AMERICAN MOMENTUM BANK CLIENTS. Corporate Account Takeover & Information Security Awareness

Information Security Awareness

Get on First Base with your Regulators and Cyber Security

Presented by: Mike Morris and Jim Rumph

Franchise Data Compromise Trends and Cardholder. December, 2010

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Cybercrimes NATIONAL CRIME PREVENTION COUNCIL

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

FFIEC CONSUMER GUIDANCE

September 20, 2013 Senior IT Examiner Gene Lilienthal

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

OIG Fraud Alert Phishing

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Payment Fraud and Risk Management

CYBERSECURITY HOT TOPICS

Operational Means to Fraud Mitigation and BSA/AML Compliance

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Learn to protect yourself from Identity Theft. First National Bank can help.

Government Crime Prevention Regulations. Richard Fraher VP & Counsel to the Retail Payments Office Federal Reserve Bank of Atlanta

ACI Response to FFIEC Guidance

ACH AND WIRE FRAUD LOSSES

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

Small businesses: What you need to know about cyber security

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Corporate Account Takeover & Information Security Awareness. Customer Training

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

Enterprise K12 Network Security Policy

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Avoid completing forms in messages that ask for personal financial information.

SAFE ONLINE BANKING. Online Banking, Data Security You. Your Partnership for Safe Online Banking

How To Protect Your Online Banking From Fraud

Microsoft s cybersecurity commitment

Instructions for Completing the Information Technology Officer s Questionnaire

What are the common online dangers?

Identity Protection Guide. The more you know, the better you can protect yourself.

Project Title slide Project: PCI. Are You At Risk?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

U. S. Attorney Office Northern District of Texas March 2013

Phishing for Fraud: Don't Let your Company Get Hooked!

Cyber Self Assessment

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com

Fighting ACH fraud: An industry perspective

Ed McMurray, CISA, CISSP, CTGA CoNetrix

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cybersecurity Health Check At A Glance

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

OCIE Technology Controls Program

Information Technology

Online Fraud and Identity Theft Guide. A Guide to Protecting Your Identity and Accounts

PCI Compliance: Protection Against Data Breaches

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Transcription:

Questions You Should be Asking NOW to Protect Your Business! Angi Farren, AAP Senior Director Jen Wasmund, AAP Compliance Services Specialist 31 st Annual Conference SHAPE YOUR FUTURE April 23, 2013 Regional Payments Associations, through their Direct Membership in NACHA, are specially recognized and licensed providers of ACH education, publications and support. Regional Payments Associations are directly engaged in the NACHA rulemaking process and Accredited ACH Professional (AAP) program. NACHA owns the copyright for the NACHA Operating Rules & Guidelines. The Accredited ACH Professional (AAP) is a service mark of NACHA. DISCLAIMER: This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. UMACHA 2013; All rights reserved. 2 1

Fraud & CyberCrime Continue.. Malware, Network Intrusion, Money Mules ACH Security Legal Cases in the News Corporate Account Takeover New ACH Security Framework Rules Defined Sound Business Practices Tips to keep your Company ahead of new NACHA Rule Requirements Solutions Available to you from your Financial Institution Strong Passwords Activity Reporting Fraud/Resources Questions? UMACHA 2013; All rights reserved. 3 Did you know that 860,000 attempts are made EACH day to hack into systems? There are about 75,000 new strings of malware EACH day? Estimates losses from account takeover fraud were over $4.9 billion in 2012 (increase of 69% from 2011) 1 1: Mitigating Online Account Takeovers: The Case for Education, Retail Payments Risk Forum, April 2013, http://www.frbatlanta.org/documents/rprf/rprf_pubs/130408_survey_paper.pdf?d=1&s=blogpr UMACHA 2013; All rights reserved. 4 2

Used to Facilitate Financial Crimes Typical malware packages sold in the criminal underground: Steal account credentials Delete and steal cookies Redirection Allow remote access to the victims computer Bot-Nets UMACHA 2013; All rights reserved. 5 Access to Users Network Network Admin Rights Capture Credentials Steal Customer & Employee Information Sophisticated Programs UMACHA 2013; All rights reserved. 6 3

US Citizens Launder Stolen Money Work From Home Foreign Company Commission 6-10% Financial Incentive To Act Fast Frequently Fueled by Economic Conditions & Unemployment UMACHA 2013; All rights reserved. 7 You unexpectedly receive notice that you are getting a grant from the government or a foundation and a processing fee is required. A company hires you to work at home as a mystery shopper or processing payments and instructs you to send money somewhere as part of the job. Someone sends you more than the asking price for an item you are selling and instructs you to wire the extra money somewhere else. A stranger sends part of the profits you were promised in a foreign business deal and asks you to pay legal fees to get the rest. UMACHA 2013; All rights reserved. 8 4

65-Year-Old Woman in Texas Admitted she suspected might not have been legitimate, but decided she needed the money too badly to turn it down. Made $500 on $9,099 Transaction Sent Funds to Eastern Europe UMACHA 2013; All rights reserved. 9 UMACHA 2013; All rights reserved. 10 5

PATCO Construction v. People s United Bank From May 7 May 16, 2009, online transfers totaling over $580,000 were made from PATCO s account at their FI Dispute surrounding whether the bank offered commercially reasonable security procedures Initial ruling was in favor of the bank, however a July 2012 US District Appellate Court reversed this decision People s United and PATCO settled out of court for the amount of the losses, plus an additional $45,000 in interest expenses UMACHA 2013; All rights reserved. 11 Choice Escrow Land & Title v. BancorpSouth A single wire transfer request for $440,000 was submitted through BancorpSouth s online banking system from Choice Escrow s account Choice Escrow had previously declined security procedures offered by the bank for online transactions, specifically a requirement for dual control on all transactions A March 18, 2013 decision from the US District Court for Missouri s Western District ruled in favor of the bank due to the fact the company declined more stringent security procedures offered to them UMACHA 2013; All rights reserved. 12 6

Corporate Account Takeover Form of corporate identify theft where a business online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Involves compromised identity credentials and not about compromises to the wire system or ACH Network ACH Fraud and Wire Fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. UMACHA 2013; All rights reserved. 13 Account Takeover UMACHA 2013; All rights reserved. 14 7

Companies and their FIs Must AVOID: Apathy & Pointing Fingers (unproductive) Stagnant Approaches (wait and see) Thinking It will not happen to us Thinking We know our customers and we are different UMACHA 2013; All rights reserved. 15 You ve heard about CAT and other types of crime so what are you trying to protect? Your networks, your data, your systems, your company s deposit account balances, your reputation; in the end all the things you do that make your company what it is! UMACHA 2013; All rights reserved. 16 8

Aimed at protecting the security and integrity of certain ACH data throughout its lifecycle Establishes minimum data security obligations for ACH Network participants to protect ACH data within their purview Intended to be consistent with other data security obligations of ACH Network participants, without duplicating compliance burdens UMACHA 2013; All rights reserved. 17 Requires non-consumer Originators, Participating DFIs, Third Party Service Providers, and Third-Party Senders to establish, implement, and, as appropriate, update security policies, procedures, and systems related to the initiation, processing, and storage of Entries. These policies, procedures, and systems must: Protect the confidentiality and integrity of Protected Information; Protect against anticipated threats or hazards to the security or integrity of Protected Information; and Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person UMACHA 2013; All rights reserved. 18 9

Protected Information defined as the nonpublic personal information, including financial information, of a natural person used to create, or contained within, an Entry and any related Addenda Record Definition not only covers financial information, but also includes sensitive non-financial information (such as health information) that may be incorporated into the Entry or any related Addenda Record Rule applies to consumer information only, which is consistent with existing regulations and also with the approach of aligning the Security Framework with existing industry regulations and guidance UMACHA 2013; All rights reserved. 19 Access Controls: Security policies, procedures, and systems of ACH participants covered by this Rule must include controls on system access that comply with applicable regulatory guidelines Impacted systems include all systems used by the ACH participant to initiate, process, and store Entries UMACHA 2013; All rights reserved. 20 10

As noted in a NACHA published document: The Rules do not establish oversight requirements for ODFIs attempting to monitor and enforce the compliance with these provisions, instead, as with all other provisions of the Rules, there is a requirement that ODFIs perform due diligence with respect to their Originators and 3 rd party senders that is sufficient to form a reasonable belief that the originator or 3 rd party sender has the capacity to perform it s obligations in conformance with the Rules. UMACHA 2013; All rights reserved. 21 Originators: Determine if existing policies, procedures, and systems are in place that would enable it to comply Originators that do not have such policies, procedures, and systems in place will need to establish and/or update policies, procedures, and systems to ensure compliance ODFIs: Determine if existing policies, procedures, and systems are in place that would enable it to comply ODFIs that do not have such policies, procedures, and systems in place will need to establish and/or update policies, procedures, and systems to ensure compliance Ongoing effort to make commercially reasonable efforts to verify the identity of its Originators and Third-Party Senders Add verification to annual Rules Compliance Audit UMACHA 2013; All rights reserved. 22 11

1. Initiate ACH and wire transfer payments under dual control 2. Online commercial banking customers execute all online banking activities from a dedicated, stand-alone, and completely locked down computer system from where email and web browsing are not possible. 3. Limit administrative rights on users workstations to prevent inadvertent downloading of malware (no user web surfing with admin rights) 4. Reconcile all banking transactions on a daily basis. 5. Financial institutions and companies should implement an awareness communications program to advise customers of current threats and fraud activities UMACHA 2013; All rights reserved. 23 1. Perimeter router blocking of all unnecessary ports 2. Intrusion Prevention Systems at perimeter and internal network 3. Firewalls with a default deny configuration 4. Layered anti-virus systems with different vendors at key access points and services 5. Web proxy systems with automated malicious site blocking and outgoing activity analysis 6. Perimeter SPAM and malicious content filtering 7. Least Privilege Doctrine for all users to prevent unauthorized software installation and assist in blocking malicious code installation 8. Vulnerability scanning program with patch and mitigation service levels defined 9. Comprehensive patch mgmt program that patches critical and high risk vulnerabilities within a short period of time. 10. Web and email surveillance tools to identify information leakage and compromise. 11. Security Incident Mgt capability to correlate events 12. Subscribe and CONTRIBUTE to appropriate information sharing systems 13. Prepare and implement an Incident Response Plan 14. Develop a relationship with your local FBI and USSS Field Offices UMACHA 2013; All rights reserved. 24 12

Positive Pay, Reverse Positive Pay Debit blocks and filters Stop all debits vs. stop all but specific debits Separate accounts for separate processes One for payroll, another for receivables, etc. Account reconciliation DAILY!! Balance Reporting UMACHA 2013; All rights reserved. 25 What is it? Phone call (voice authentication or just a simple phone call) Text message (SMS) Secure e-mail Fax Why do it? To authenticate that the file or transaction is what you intended to generate Fraud prevention method but may also assist in preventing unintentional processing errors (sending the wrong week s payroll file to your FI) UMACHA 2013; All rights reserved. 26 13

FDIC's Cyber-Fraud and Financial Crimes Section email: alert@fdic.gov FTC s Complaint Center www.ftccomplaintassistant.gov/ Internet Crime Complaint Center (IC3) www.ic3.gov UMACHA 2013; All rights reserved. 27 Better Business Bureau: Data Security Made Simpler http://www.bbb.org/data-security/ ABA: The Small Business Guide to Corporate Account Takeover http://www.aba.com/solutions/fraud/pages/corporateaccounttakeoversmallbusiness.aspx U.S. Chamber of Commerce: Internet Security Essentials for Business http://www.uschamber.com/issues/technology/internet-security-essentials-business FCC: Small Biz Cyber Planner & 10 Cybersecurity Strategies for Small Business http://www.fcc.gov/cyberplanner http://www.uschamber.com/sites/default/files/issues/defense/files/10_cyber_strategies_for_small_ Biz.pdf NACHA: Sound Business Practices for Businesses to Mitigate Corporate Account Takeover https://www.nacha.org/sites/default/files/files/cat%20-%20b.pdf FTC Bureau of Consumer Protection: Protecting Personal Information A Guide for Business http://business.ftc.gov/sites/default/files/pdf/bus69-protecting-personal-information-guidebusiness_0.pdf UMACHA 2013; All rights reserved. 28 14

UMACHA 763-549-7000 OR 1-800-348-3692 Speakers Today Angi Farren, AAP & Jen Wasmund, AAP Email Addresses: angif@umacha.org & jenw@umacha.org www.umacha.org UMACHA 2013; All rights reserved. 29 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information