Overall, which types of fraud has your organisation experienced in the past year?

Similar documents
PCI Compliance: How to ensure customer cardholder data is handled with care

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

A strategic approach to fraud

Franchise Data Compromise Trends and Cardholder. December, 2010

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

FFIEC CONSUMER GUIDANCE

Presented by: Mike Morris and Jim Rumph

Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.

ACI Response to FFIEC Guidance

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS

A practical guide to IT security

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

Fraud Threat Intelligence

Transforming the Customer Experience When Fraud Attacks

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Accepting Payment Cards and ecommerce Payments

Electronic Fraud Awareness Advisory

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Cybersecurity: Protecting Your Business. March 11, 2015

2014 Payments Fraud Survey

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Target Security Breach

Network Security & Privacy Landscape

WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Policy for Protecting Customer Data

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Managing cyber risks with insurance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

2012 NCSA / Symantec. National Small Business Study

Into the cybersecurity breach

Mitigating and managing cyber risk: ten issues to consider

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Common Data Breach Threats Facing Financial Institutions

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Questions You Should be Asking NOW to Protect Your Business!

Deception scams drive increase in financial fraud

FFIEC BUSINESS ACCOUNT GUIDANCE

1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.

How To Protect Your Credit Card Information From Being Stolen

Fraud and Abuse Policy

Protecting Your Organisation from Targeted Cyber Intrusion

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

Cybersecurity and Privacy Hot Topics 2015

Best Practices in Account Takeover

Reducing Fraud whilst Keeping Transactions in Motion

What is Management Responsible For?

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Frequently Asked Questions

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

How To Protect Your Online Banking From Fraud

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

IT Security Risks & Trends

E Commerce and Internet Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

Presented By: Corporate Security Information Security Treasury Management

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Security and Privacy

Developments in cybercrime and cybersecurity

Making Your Fraud Vision 20 / 20. Thomas R. Strause, CIA, CFE, CBA, CISA, CFSA, CICA Partner FOS tstrause@fosaudit.

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

IRS & Partners Combat Tax-Related Identity Theft What s New for 2016

IBM Security Strategy

Tax-Related Identity Theft: IRS Efforts to Assist Victims and Combat IDT Fraud

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

NATIONAL CYBER SECURITY AWARENESS MONTH

Spear Phishing Attacks Why They are Successful and How to Stop Them

September 20, 2013 Senior IT Examiner Gene Lilienthal

The Evolution of Data Breaches

CYBERSECURITY FRAUD LOSS ISSUES & HOW TO ADDRESS RISKS IN TODAY'S INSURANCE MARKETPLACE 12/16/2015. December 17, 2015

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Cyber Risk in Healthcare AOHC, 3 June 2015

Security strategies to stay off the Børsen front page

Economic Crime: A Threat to Business Globally

Italy. EY s Global Information Security Survey 2013

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

CyberArk Privileged Threat Analytics. Solution Brief

Cumberland Business Debit Card. Terms & Conditions

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Protect Your Business and Customers from Online Fraud

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Cyber Security Issues - Brief Business Report

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cybersecurity: What CFO s Need to Know

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

We believe successful global organisations can confront fraud, corruption and abuse PwC Finland Forensic Services

Jim Bray, Cyber Security Adviser InfoSight, Inc.

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

Payments Fraud: It's Not Fun & Games

How To Cover A Data Breach In The European Market

Cyber Liability Insurance Data Security, Privacy and Multimedia Protection

Cybersecurity Issues for Community Banks

Transcription:

1) Overall, which types of fraud has your organisation experienced in the past year? Insider fraud Corporate Account Takeover Consumer Account Takeover ATM/ABM (skimming, ram raid, etc.) Bill pay Cheque Corruption or bribery Credit/debit card Cross-border Call Centre First-party Customer information theft Customer information deletion or corruption Intellectual Property theft or piracy Intellectual Property deletion or corruption Mobile device (malware, hack, etc.) Money-laundering Mortgage Online banking ecommerce (non-banking) Theft of physical assets Third-party POS skimming Vendor, third-party or supplier (non-skimming) 2) Which types of fraud do you feel your organisation is currently best prepared to prevent and detect? Insider fraud ACH/wire (corporate account takeover) ATM/ABM (skimming, ram raid, etc.) Bill pay Check

Corruption or bribery Credit/debit card Cross-border Call Centre First-party Customer information theft Customer information deletion or corruption Intellectual Property theft or piracy Intellectual Property deletion or corruption Mobile device (malware, hack, etc.) Money-laundering Mortgage Online banking ecommerce (non-banking) Theft of physical assets Third-party POS skimming Vendor, third-party or supplier (non-skimming) 3) How is a fraud incident involving your organisation typically detected? At the point of origination At the point of transaction During account audit/reconciliation Internal whistleblower Third-party investigation Third-party notification Through automated data analysis or transaction monitoring software When a customer notifies us 4) When fraud occurs, how long do you estimate it takes your organisation to uncover the incident? 1 to 2 hours 3 to 4 hours

5 to 6 hours 7 to 8 hours More than 8 hours We lack that ability every incident is different 5) Upon discovering fraud, how long does it take for your organisation to react, respond and resolve the incident? 1-8 hours 9-16 hours 17-24 hours 1-2 days 3-5 days More than five days We lack that ability 6) Have financial losses linked to fraud increased, decreased or stayed steady in the past year? Increased Decreased Remained Steady Unsure 7) Beyond the financial toll from the fraud incidents, what non-financial losses did your organisation suffer from fraud incidents? Customer accounts (moved to other institutions) Loss of productivity No losses Regulatory or other compliance issues (additional scrutiny from regulators or standards bodies) Reputational impact

8) Which are your organisation's biggest challenges to fraud prevention? Difficulty integrating data from various sources Difficulty investigating crimes across borders Inadequate fraud detection tools & technologies Insufficient resources (budget and/or personnel) Lack of customer awareness Lack of skills on staff Organisational silos Poor coordination with law enforcement 9) Which of these recommended technology-based controls has your organisation already invested in? Multifactor authentication Device ID Out-of-band verification for authentication Out-of-band verification for transactions "Positive pay," debit blocks, and other limits on transactional use Enhanced control over changes to account-maintenance activities by customers Enhanced controls over account activities Enhanced customer education Fraud detection and monitoring systems Internet protocol [IP] reputation-based tools Behavior-based anomaly detection technology Manual processes to detect online banking anomalies Cross-channel fraud detection Big data analytics Artificial intelligence 10) Which anti-fraud investments do you plan to make within the next 12 months? Multifactor authentication Device ID

Out-of-band verification for authentication Out-of-band verification for transactions "Positive pay," debit blocks, and other limits on transactional use Enhanced control over changes to account-maintenance activities by customers Enhanced controls over account activities Enhanced customer education Fraud detection and monitoring systems Internet protocol [IP] reputation-based tools Behavior-based anomaly detection technology Manual processes to detect online banking anomalies Cross-channel fraud detection Big data analytics Artificial intelligence 11) Who ultimately should be held responsible for losses incurred from financial data breaches (assuming the fraudsters themselves are not tracked down)? The organisation whose systems were breached The institution that issued the compromised financial instrument or transaction channel (e.g. payment card or bank account) The security vendor that testified to the breached entity's security The payment card brands whose cards are susceptible to breach and fraud The holder of the account that was compromised Organisations who's systems or products were used to conduct the fraud (such as domain name providers) without due diligence being taken as to their use 12) In the most common or most serious cases of fraud your organisation experienced, which PRIMARY mechanisms were employed to obtain information for fraudulent use? (select two) Phishing - to capture web credentials Phishing - to install malware (from email attachment or web site) Malware infection (visiting compromised web site) Malware infection by any other method Call Centre Social Engineering Employee Social Engineering (other than Call Centre)

Physical data removal - stolen Physical data removal - lost/poorly disposed of Network penetration (e.g. poor firewall or data segmentation policies) Application security compromise Poor authentication policies (e.g. default, shared or simple passwords) Large scale data breach using a combination of the above (potentially an "Advanced Persistent Threat") 13) What attack mechanisms do you feel that your company is BEST able to defend against? Phishing - to capture web credentials Phishing - to install malware (from email attachment or web site) Malware infection (visiting compromised web site) Malware infection by any other method Call Centre Social Engineering Employee Social Engineering (other than Call Centre) Physical data removal - stolen Physical data removal - lost/poorly disposed of Network security circumvention (e.g. poor firewall or segmentation policies) Application security compromise Poor authentication policies (e.g. default, shared or simple passwords) Large scale data breach using a combination of the above (potentially an "Advanced Persistent Threat") 14) What change have you seen in account takeover activity in the past year? Corporate Account takeover incidents have decreased Consumer Account takeover incidents have decreased Corporate Account takeover incidents have increased Consumer Account takeover incidents have increased No measurable impact

15) What change have you seen in account takeover financial losses in the past year? Corporate Account takeover losses have decreased Consumer Account takeover losses have decreased Corporate Account takeover losses have increased Consumer Account takeover losses have increased No measurable change 16) Over the past year, how did card-related fraud losses most commonly occur? Customer perpetrated the fraud Data breach at a payment processor Data breach at a retailer Insider/employee perpetrated the fraud Mail or telephone order/internet fraud/card-not-present PIN point-of-sale fraud Signature point-of-sale (skimming) fraud Unauthorised ATM (skimming) withdrawals not applicable 17) Over the past year, have you detected a rise in cross-channel fraud, where multiple channels are compromised concurrently? Yes, we detect an increase in cross-channel fraud No significant increase Cross-channel incidents have decreased 18) How has the number of targeted phishing attacks aimed at your employees changed in the past year? Increased Decreased Employees have not been targeted

19) How has the number of fraud incidents resulting from these targeted phishing attacks changed in the past year? Increased Decreased Employees have not been targeted 20) What mobile malware trends have you seen over the past year? We see a significant increase in mobile malware attacks We see no significant change whatsoever We actually see a decrease 21) How does your organisation defend against mobile malware attacks? Secure mobile apps Provide free mobile malware detection software Provide secure mobile-browser banking Customer education Anomaly detection Mobile malware is not a current concern not applicable 22) How has the number of insider fraud incidents changed in the past year? The number has grown The number has decreased No measurable change 23) How does your organisation currently address insider fraud risks? Cross-checks with HR for unsatisfactory performance Use of centralised logging to detect data exfiltration Use of encrypted Web sessions via traffic inspection to detect data exfiltration

Use of SIEM signatures to detect precursors to IT sabotage Enhanced IAM systems Behavioral monitoring Anomaly detection Heightened background checks Quarterly reviews of employee activity Internal whistleblower 24) In your opinion, how effective are awareness & training programs for employees and customers in reducing incidents of fraud? Done right, very effective Not at all effective - just lip service Only somewhat effective 25) How do you assess your organisation's current anti-fraud awareness & training programs for employees? 1 - superior 2 - above average 3 - average 4 - below average 5 - failing 26) How do you assess your organisation's current anti-fraud awareness & training programs for customers? 1 - superior 2 - above average 3 - average 4 - below average 5 - failing 27) Does your organisation calculate the total impact of fraud across all channels on an ongoing basis? Yes No 28) Does your organisation report fraud incidents to the police?

Yes, in all cases Only when losses incurred reach a pre-determined level No 29) Does your organisation share information on fraudulent activity with other companies in your sector? If so, how effective is this strategy in reducing fraud perpetrated against your company? We do not share information on fraud outside our organisation Sharing information on fraudulent activity with other companies has no measurable impact on reducing future fraudulent activity against us Sharing information on fraudulent activity with other companies helps us implement appropriate counter-fraud measures which has a measurable impact on future attempts at fraud 30) Do you support the need for added public surveillance and expanded monitoring powers for law enforcement in combatting cyberfraud? Always for matters of a national security scope Only in extreme cases where court authorisation can be produced In specific cases where court preauthorisation can provide blanket access Law enforcement & intel agencies should have access to all available information Surveillance and monitoring are always acceptable with proper notice & consent So long as the fundamental right to individuals' privacy is respected 31) Where should we draw the line for warrantless access when investigating cybercrime or traditional fraud activity? Warrantless access with proper notice, consent and disclosure is permissible It must be disclosed well ahead of time in every instance It must be publicly disclosed & independently audited, but allowed It must only be kept secret if deemed of a national security nature It should never be used as it erodes public trust not applicable 32) Why is the battle against money laundering and ID theft so difficult in the UK?

Cybercrime trends are moving faster than law enforcement can keep up Inadequate training for law enforcement & intelligence agencies Lack of collaboration and shared/centralised information access Discrepancies in law across geopolitical boundaries Organised cybercrime is too complex, layered and decentralised Don't believe the hype. The UK has made great progress in the past 36 months. 33) In what ways has cyberfraud supplanted traditional fraud? Actually, cyberfraud and cybercrime require entirely different law enforcement capabilities Both are motivated by profit and leverage deceptive tactics, but cyberfraud does it on a larger scale For traditional fraud to scale, it must go digital, so cyberfraud is the natural next step Law enforcement already treats them largely the same way Laws should be harmonised to prosecute and treat them with equal veracity 34) How should the effectiveness of fraud reporting be enhanced in the UK? Fraud reports should be openly accessible by everyone Much more resources should be allocated to combatting emerging threats Public education programs should be widely available across UK Free tools should be made available to supplement enhanced education Better metrics and quantitative methods should be used to track fraudulent activity There should be single reporting point for fraud and cyber crime 35) What is the title of the person charged with leading fraud prevention at your organisation? Chief operations officer Compliance officer Fraud manager Information security officer IT Physical security/loss prevention officer

Risk manager local counter fraud specialist 36) How large is your organisation's department assigned to fraud prevention and detection? 1 to 5 6 to 10 11 to 25 26 to 100 More than 100 We do not have a designated dept. Duties are managed by audit, compliance, IT, risk, etc. 37) What is your primary job function? Auditor BSA officer CEO/COO/CFO/CIO Compliance manager Fraud/loss prevention Finance/Accounting Operations Risk officer Security officer CISO Security consultant CRO Risk manager Senior Security/IT (non-c titles) Technical Staff 38) What type of entity is your organisation? Bank Building Society Government agency Independent service organisation

Other financial services organisation 39) If a bank or other FI, what is your organisations size by assets? Under 250 million 250 million to 500 million 500 million to 1 billion 1 billion to 5 billion 5 billion to 10 billion Over 10 billion Not applicable 40) Where is your organisation headquartered geographically? United Kingdom Asia (except India) Australia/New Zealand Canada Caribbean Europe (except UK) India Mexico Pacific/Oceania South America 41) The first 50 respondents will receive a 15 Amazon gift card. Please submit your email address to qualify. If you would like to be notified of survey results, please provide your email address in the box below:

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information