Online Account Takeover Roger Nettie CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited CUNA Mutual Group 2013
Session Outline Types of attacks Movement of funds Consumer versus commercial accounts Liability Issues FFIEC guidelines Online Account Opening & Funding 2
Types of Attacks Key Logging Man-in-the-Middle Man-in-the-Browser Account Recovery DDoS Disruptive? Distraction? 3
Keylogger Malware SecureIT Researchers: ZeuS Trojan Detections on the Rise The ZeuS Trojan that was employed by cyber crime rings to steal millions of dollars from U.S. banks in fall 2010 appears to be making a comeback. Our SecureIT researchers spotted a 55% increase in ZeuS Trojan or Zbot detections thus far in Q2 2013 versus Q1 2013. The new version of the ZeuS Trojan dubbed a Zbot is a botnet targeted towards stealing your banking information. A botnet is a group of Internet connected devices that communicate with one another and carry out tasks simultaneously. These devices are capable of causing serious mayhem if they re all instructed to attack a single target, like a bank, at the same time. 4
Movement of Funds Cross-member transfer Bill Payment ACH Wire Transfer 5
Terminology Member-to-Member (M2M) Cross-member transfer CU Member Book-entry transfer CU Member Account-to-Account (A2A) Member-generated ACH Debits and credits CU Member Basic ACH origination FI Account Person-to-Person (P2P) Consumer-friendly identification layer over ACH Generally sending funds CU Member Phone/email identifier ACH origination FI Account Peer-to-Peer (also P2P) Book-entry closed systems such as PayPal Vendor Account Book-entry transfer Vendor Account 6
Movement of Funds Cross-member transfer Bill Payment ACH Wire Transfer Money Mules Prepaid Debit Cards 7
Money Mules How they work Recruited through email-based work-at-home job scams Helping companies process payments Receives fraudulent transfer (often under $10,000), keeps a small percentage, and wire remainder to contacts abroad Problems they create Not the brightest individuals, trouble following instructions, mess up the details (reasons they are unemployed) Transposing digits in account and R&T numbers Failure to remove funds timely Might disappear with the money themselves 8
Hackers steal $527,000 from LES FCU account at bank 9
Credit Union Breaches Accounts at Corporate Credit Unions A $650,000 loss where a credit union gave new online password access to somebody over the phone for a business account, and the perpetrators drained the account using the bill payment feature. Large loss situation where thieves got into multiple member accounts, and used cross-member transfer capabilities to transfer funds into a single member's account. This single member fell for a money mule scam, and took the proceeds over to Western Union to make international wire transfers. Phishing of members, ACH credits 10
Credit Union Breaches Multiple waves of malware/mule and cross-member transfers ACHs to prepaid debit cards ACH payroll, with security ACH payroll, without security Core processor breach of password information? Wire, confirmed through email Wires by phone, then wires by online request 11
Man-in-the-Browser Attacks Cyber crook Password stealing Trojan sent as email attachment or link to infected website Mules withdraw money and wire to cyber crooks User logs into online banking system. Trojan wakes up when targeted online banking website(s) visited. User enters transfers ACH or wires. MITB overwrites user s transaction changing dollar amounts and destination accounts. For educational purposes only Funds are sent to the money mules 12
Overwrites User s Transaction This illustration is created for educational purposes only. 13
Consumer Versus Commercial Accounts, Liability Consumer Accounts Member negligence Regulation E Commercial Accounts Credit union accounts ACH transactions/payrolls Wire transfers Uniform Commercial Code Article 4A Commercially reasonable security procedures Written funds transfer agreements 14
FFIEC s Updated Authentication Guidance The Federal Financial Institutions Examination Council (FFIEC) issued updated authentication guidance on June 28, 2011 Risk assessments Financial institutions must review and update risk assessments To reflect changes in the threat environment; Prior to implementing a new electronic service; or At least every 12 months Adjust authentication controls and add layered security controls as appropriate Enhanced multifactor authentication for high risk transactions ACH and/or wire transfer capabilities Implement administrative control capabilities for business accounts Implement layered security controls Multiple controls implemented at various points in the transaction process If one control is compromised, there are others in place to detect and prevent fraudulent transactions Implement customer awareness program 15
Authentication Options Something you know Password Challenge questions Something you have IP Address (pc recognition) USB token Smart card Password-generating token Digital certificates Something you are Biometrics MITB Attacks have rendered what were once considered strong multifactor authentication methods ineffective 16
FFIEC Updated Authentication Guidance Types of Layered Security Controls Fraud monitoring solution Monitor individual transactions for fraud Initial login and authentication Out-of-band authentication Out-of-band transaction verification Monetary and frequency limits Techniques to limit the use of the account such as ACH debit blocks Restrictions on the days and hours of access Internet Protocol (IP) reputation-based tools to block connection to online banking servers from IP addresses known or suspected to be associated with fraudulent activities Enhanced controls over account maintenance changes initiated by customers through the online banking channel or through the call center 17
FFIEC Updated Authentication Guidance FFIEC s Minimum Expectations Perform annual risk assessment A fraud monitoring method capable of detecting and effectively responding to suspicious or anomalous activity related to the initial login and authentication of customers and transfers to third parties Robust administrative function capabilities for business accounts The ability to set-up multiple users and assign specific levels of authority to each user; The ability to set-up monetary limitations for each user who is authorized to initiate payments and transfers initiated through bill pay, ACH, and wires; The ability to establish dual control requirements for initiating payments and transfers initiated through bill pay, ACH and wires; The ability for the administrator to receive activity reports from transaction logs for reporting purposes; and The ability for the administrator to receive account maintenance reports to assess the validity of any maintenance changes. 18
FFIEC Updated Authentication Guidance Member Awareness Program Explain protections provided/not provided to members for electronic funds transfers initiated through online banking Indicate whether member is entitled to Regulation E protection Explain the circumstances, if any, and the means the credit union may contact the member on an unsolicited basis requesting account information Most credit unions indicate they will not contact members to request account information Explain safe online banking practices Recommend business members perform their own risk assessment Provide a list of credit union contacts in the event members notice suspicious account activity/experience security-related events 19
Online Account Opening, Account Funding Fraudulent opening of accounts Identity theft Account used for fraudulent purposes Deposit Fraud Remote deposit capture Electronic Deposits Fraud by member Fraud by outsider, account compromised Fraud by member s new online friend 20
Security Authentication standards High Level 2 Online process that compares personal information against widely referenced databases Level 3 Requires physical appearance with government-issued photo identification Hardware-based digital certificates Knowledge-based authentication Level 1 Verification of an email address Password / shared secret Low Low Email verification Complexity & Cost of Implementation High 21
What questions do you have? 22
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Protection insurance products offered to credit unions, including the Fidelity Bond, Management & Professional Liability Policy, Special Insurance Package, Plastic Card Policy, Cyber & Security Incident Policy, and Property/Business Liability Policy are underwritten by CUMIS Insurance Society, Inc., a member of CUNA Mutual Group. CUNA Mutual Insurance Agency, Inc., an affiliate within CUNA Mutual Group, is the marketing agent licensed to broker various other property and casualty coverage. To determine underwriting company information for each policy type, please refer to the actual policy documents and declarations pages. Coverage may vary or may not be available in some states. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. This is not intended to be legal advice but only a high-level review of the law. As the exact interpretation of the statutory requirements will depend on specific facts and circumstances, credit unions are encouraged to consult independent legal counsel in interpreting the requirements of the law and its application to their operations. CUNA Mutual Group Proprietary and Confidential. Further Reproduction, Adaptation, or Distribution Prohibited. CUNA Mutual Group, 2013. All Rights Reserved. 23