Online Cash Management Security: Beyond the User Login

Similar documents
Phishing for Fraud: Don't Let your Company Get Hooked!

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Business ebanking Fraud Prevention Best Practices

Best Practices Guide to Electronic Banking

Remote Deposit Quick Start Guide

Protecting your business from fraud

Payment Fraud and Risk Management

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Retail/Consumer Client. Internet Banking Awareness and Education Program

Electronic Fraud Awareness Advisory

Customer Awareness for Security and Fraud Prevention

Enhanced Security for Online Banking

suntrust.com 800.SUNTRUST

Protecting Yourself from Identity Theft

FFIEC CONSUMER GUIDANCE

Don t Fall Victim to Cybercrime:

Supplement to Authentication in an Internet Banking Environment

Your security is our priority

Identity Theft Protection

& INTERNET FRAUD

Business Online Banking & Bill Pay Guide to Getting Started

ACI Response to FFIEC Guidance

Business Online Banking Quick Users Guide

Online Banking Customer Awareness and Education Program

Identity Theft, Fraud & You. Prepare. Protect. Prevent.

Learn to protect yourself from Identity Theft. First National Bank can help.

Corporate Account Takeover & Information Security Awareness. Customer Training

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

OIG Fraud Alert Phishing

Intercepting your mail. They can complete change of address forms and receive mail that s intended for you.

Personal Online Banking & Bill Pay. Guide to Getting Started

Online Banking Risks efraud: Hands off my Account!

Corporate Account Take Over (CATO) Guide

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Multi-Factor Authentication of Online Transactions

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

Cathay Business Online Banking

Online Cash Manager Security Guide

HUNTINGTON BUSINESS SECURITY SUITE USER GUIDE

Business Online Banking Client Setup Form

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

"You" and "your" mean the account holder(s) and anyone else with authority to deposit, withdraw, or exercise control over the funds in the account.

Security Guidelines and Best Practices for Retail Online and Business Online

Common Cyber Threats. Common cyber threats include:

Payments Fraud Best Practices

BUSINESS ONLINE BANKING AGREEMENT

Identity Theft. Protecting Yourself and Your Identity. Course objectives learn about:

Emerging ACH Issues. Florida Bankers Association 30 th Annual Consumer Compliance Seminar Orlando, Florida April 29- May 1, 2015

Deterring Identity Theft. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year.

MOBILE BANKING USER GUIDE

BUSINESS ONLINE BANKING QUICK GUIDE For Company System Administrators

Preventing Corporate Account Takeover Fraud

Information Security Awareness

Tax-Related Identity Theft: IRS Efforts to Assist Victims and Combat IDT Fraud

Online Fraud and Identity Theft Guide. A Guide to Protecting Your Identity and Accounts

Fraud Prevention Tips

These Terms and Conditions specifically apply to the following functionalities:

Online (Internet) Banking Agreement and Disclosure

Presented by: Mike Morris and Jim Rumph

When visiting online banking's sign-on page, your browser establishes a secure session with our server.

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Fraud Trends. HSBCnet Online Security Controls PUBLIC

Cash Management. Getting Started Guide

Fraud Guide Fraud Protection

Identity Theft. CHRISTOS TOPAKAS Head of Group IT Security and Control Office

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

INTERNET BANKING SYSTEM AGREEMENT

Welcome to the Protecting Your Identity. Training Module

Fraud Protection, You and Your Bank

If you contact us orally, we may require that you send us your complaint or question in writing within 10 business days.

Securing Online Payments in ACH Client and Remote Deposit Express

Payments Fraud: It's Not Fun & Games

Deter, Detect, Defend

NBT Bank Personal and Business Mobile Banking Terms and Conditions

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Commercial Internet Banking Agreement and Disclosures

Transcription:

Online Cash Management Security: Beyond the User Login Sonya Crites, CTP, SunTrust Anita Stevenson-Patterson, CTP, Manheim February 28, 2008

Agenda Industry Trends Government Regulations Payment Fraud is Big Business Online Fraud Best Practices Reference Materials and Handouts 2

3 Industry Trends

Payment Methods Subject to Fraud in 2006 Industry Trends 100% 75% 93% 50% 35% 25% 17% 14% 5% 3% 3% 0% Checks ACH debits Consumer Credit Cards Corporate Purchasing Cards Consumer Debit cards ACH Credits Wire Transfers Source: 2007 AFP Payments Fraud Survey 4

Check Fraud Industry Trends Many organizations use fraud control services Many organizations have tightened internal controls to avoid financial loss. 42% of organizations that experienced at least one payments fraud attempt reported no losses from the attempt. 86% of survey respondents report that their organizations had adopted positive pay services prior to 2006 to protect against check fraud. Only 30 % used payee positive pay before 2006. 5

Industry Trends ACH Fraud Companies that experienced loss failed to use available services or to follow best practices. 1/2 of organizations did not use ACH debit blocks or filters 22% failed to reconcile their accounts or return fraudulent ACH debits on a timely basis Smaller organizations (< $1 billion in revenue) - were nearly 3 times as likely as larger organizations to have suffered losses resulting from ACH fraud. Source: 2007 AFP Payments Fraud Survey 6

Government Regulations Federal Financial Institutions Examination Council (FFIEC) issued a mandated guidance requiring all financial institutions to provide stronger online authentication methods Applies to both retail and commercial clients Does not endorse any particular technology Necessary for compliance with requirements to safeguard customer information to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft to promote the legal enforceability of their electronic agreements and transactions Source: Authentication in an Internet Banking Environment, FFIEC 7

Government Regulations Existing authentication methodologies involve three basic factors Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card); and Something the user is (e.g., biometric characteristic, such as a fingerprint) FFIEC guidelines require at least 2 factors to be used in authenticating clients as they login Source: Authentication in an Internet Banking Environment, FFIEC 8

Government Regulations Common solutions being offered by various financial institutions include Hardware or software tokens Biometric identification (e.g., fingerprints, voice, retinal) PC fingerprinting Email out-of-band approvals One-time passwords Smart cards Digital certificates Source: Authentication in an Internet Banking Environment, FFIEC 9

Checks Payment Fraud is Big Business In 2003, check fraud cost the industry $677 million American Bankers Association In 2004, check fraud exceeded $20 billion per year The Nilson Report Estimate that 1.2 million fraudulent checks are written everyday Office of the Comptroller of the Currency 10

Electronic Payment Fraud is Big Business The banking industry s losses from ACH fraud rose 62.5% in 2005 to $65 million Financial Insights Illicit wire transfers are easily hidden among the almost 1,000,000 mostly legitimate wire transfers that occur daily in the U.S. Brighterion Credit card fraud rose from $1.7B in 2000 to $2.7B in 2004 Celent Communications 11

Means of Access Payment Fraud is Big Business Key: Primarily Business Controlled Primarily Consumer Controlled Online Access - Primarily Consumer Controlled Some other way, 7% Misuse of data from an instore/onsite/mail/telephone transaction, 7% Stolen from a company that handles your financial data, 6% Taken by a corrupt business employee, 15% Company viruses, spyware, or hackers, 5% Phishing, 3% Online transactions, 0.3% Garbage, 1% From stolen paper mail or by fraudulent change of address, 8% By friends, acquaintances, relatives or inhome employees, 15% Lost or stolen wallet, checkbook or credit card, 30% Source: 2006 Javelin Research & Strategy Identity Fraud Survey Report 12

External Forms Online Fraud Phishing the use of fraudulent emails or pop-up Web pages that appear legitimate and are designed to deceive a user into sharing personal or account information. Segmentation of US Banking Brands Attacked by Phishing From: Your Bank [mailto:serviceteam.refmt4333215.nf@yourbank.com] Sent: Monday, July 16, 2007 3:43 PM To: John.Doe Subject: Your Bank Client Service Team: Notification! (message id: dz73648510689) Dear Your Bank customer, Your Bank Client Service Team requests you to complete Online Cash Management Customer Form. This procedure is obligatory for all business and corporate clients of Your Bank. Please click hyperlink below to access Online Cash Management Customer Form. http://onlinecashmanagement-id0532000.yourbank.com/cmserver/fakelogin.cfm Thank you for choosing Your Bank for your business needs. Please do not respond to this email. This mail generated by an automated service. =============================================================== =========================== Source: RSA Security 13

External Forms (cont d) Online Fraud Pharming occurs when hackers manipulate Internet mapping so that when you type in a legitimate Web address you are redirected to a fraudulent Web site without your knowledge. Spyware malicious software that can be loaded on your computer without your knowledge and used to capture user IDs and passwords as you access Web sites. Trojans malicious programs that pop up over login screens to collect online credentials with the information to be transmitted to the phisher for misuse. July 2007 was the 3rd highest month in the past year. The RSA Anti Fraud Command Center identified attacks against 15 institutions that it had not seen attacked before. 14

External Forms (cont d) Online Fraud Keyloggers programs that monitor web usage and collect login credentials from targeted sites including financial institutions. Man in the Middle a form of phishing in which the phisher positions himself between the user and the legitimate site. Messages intended for the legitimate site are passed to the phisher instead, who saves valuable information, passes the messages to the legitimate site, and forwards the responses back to the user. Source: RSA Security 15

Internal Forms Online Fraud Collusion Cooperation among two or more employees to commit fraud by embezzling funds. Unauthorized payment initiation Payments initiated using unauthorized account information disclosed either by phishing or internal employee access to online services, account or checks. Check stock theft Theft of check stock with the intent to cash checks to purchase goods and withdraw funds. Check alterations Fraudulent changes made to the amount or name on a check. 16

Company Controls Recommended Best Practices Online Cash Management Controls Reconcile accounts frequently Implement segregation of duties Define transaction limits Delete employee online user IDs as part of exit procedures Require monthly password resets with strong password formats Disable employee user IDs when on vacation or leave Remove unnecessary entitlements from employees Review activity reports daily 17

PC and Network Security Controls Best Practices Ensure all PCs are current with virus protection and are protected by firewalls Download & install security patches Do not divulge account information Do not divulge login information Beware of file sharing Encrypt your data Don t underestimate the need to educate employees on fraud awareness and prevention. 18

Best Practices Avoid setting up Super Users Set up at least 2 users for initiation and approval of online payments 19

Best Practices Segregation of duties creates a barrier to unauthorized payment initiation for phishers or internal employees by requiring a separate user to approve the payment Multi-factor authentication combined with segregation of duties provides the highest level of security offered commercially in the market today 20

Bank Controls Available Best Practices Automated alerts sent to multiple managers when unusual transactions occur Payment initiated above designated threshold Multi-factor authentication (something the user knows; something the user has) IP address and device restrictions Hardware or software tokens Smart cards Digital Certificates 21

Fraud Prevention and Detection Services Best Practices Positive Pay; Reverse Positive Pay; ACH Positive Pay ACH debit blocking Bank defined wire templates Payment initiation workflow that provides flexible control release capabilities Segregation of duties Fixed or dynamic approvals Payment amount limits 22

Reference Materials and Handouts Best Practices Checklist Sample RFP Questions Online Fraud Awareness and Prevention Flyer Reference Web Sites www.suntrust.com/treasury www.afponline.org www.s-ox.com/resources/index.cfm www.antiphishing.org/ www.esecurityplanet.com/ 23

Contacts Sonya Crites, CTP Group Vice President, SunTrust sonya.crites@suntrust.com 404.588.8071 Anita Stevenson-Patterson, CTP Director of Treasury Operations & Patriot Compliance Officer, Manheim anita.patterson@manheim.com 678.645.2020 SunTrust Client Commitment: SunTrust will never send unsolicited emails asking clients to provide, update, or verify personal or account information, such as passwords, Social Security numbers, PINs, credit or Check Card numbers, or other confidential information. SunTrust Bank, Member FDIC. 2008 SunTrust Banks, Inc. SunTrust is a federally registered service mark of SunTrust Banks, Inc. 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information