Each site license entitles registrant to one login: one phone...

www2.acams.org/webinars

ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security

COPYRIGHT NOTICE – USE OF WEBEX LOGIN/PASSWORD FOR ACAMS WEB SEMINARS

Each site license entitles registrant to one login: one phone connection (if accessing audio via teleconference) and one Internet connection for simultaneous Webcast, in

one room where an unlimited number of listeners may participate.

Providing your login instructions and password to another for their use, using your login ID/password more than once, or any simultaneous or delayed transmission,

broadcast, re-transmission or re-broadcast of this event to additional sites/rooms by any means (including but not limited to the use of telephone conferencing services or a conference bridge, whether external or owned by the registrant) or recording is a

violation of U.S. copyright law and is strictly prohibited.

Technical Assistance • Send a message via the Q & A box• Or Call WebEx Technical Support:

(US & Canada) 866-229-3239 (International) 916-229-3239

Attendee instructions on how to use Audio Broadcast • Do not close the Audio Broadcast panel• If you are not able to listen to the audio on your computer speakers, press the stop button, wait 5 seconds then press play. • Make sure to adjust the volume button on your computer speakers and also adjust the volume on your sound card. To do

this, go to the Start Menu, click Control Panel, then click Sound & Audio Devices and adjust accordingly.• If you do not have speakers, please refer to your login instructions for the Teleconference Domestic and International

Numbers and Access Code.• You may request the Teleconference Number by clicking “Request” under the attendee box on your left hand side.

Welcome to Today’s ACAMS Web Seminar

ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered

Security

April 11, 201212:00 Noon– 1:00 PM EDT

A sound check will be performed 5 minutes before the start time.

• Can you hear the sound check? • It has begun

To send a question:

• Locate the Q & A box on the bottom right hand corner of the WebEx platform.

• Type in your question and click send!

ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered

Security

Today’s Presenters

Co‐founded Verafin (BSA/AML Compliance & Fraud Detection software company) in 2003

Frequent speaker at industry conferences and key presenter for Verafin’s anti‐financial crime thought leadership webinar series

Verafin has more then 800 financial institution customers across North America

BRENDAN BROTHERSCo‐FounderVerafin

Rick has over 29 years of experience in Banking, specializing in Risk Management, Information Security, Operations, Compliance and Internal Audit.

Has been with Bangor Savings Bank for 13 years

Oversees enterprise risk management, information & physical security, fraud management, compliance, BSA, credit policy, loan review, real estate valuation and legal

RICK MALTZExecutive Vice President & Chief Risk OfficerBangor Savings Bank

ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s

Guidance for Layered Security

Today’s Agenda:

FFIEC Guidance on Internet Banking

Layered Security

Corporate Account Take Over

Processes, Controls & Best Practices to Combat Online Account Takeover

Overview of Changes in 2011 Supplement

Guidance

Authentication in an Internet Banking Environment

Small and midsize businesses are frequent targets

Despite expectation for periodic risk assessments, examiners reported that some FIs have not done so

Agencies needed to reemphasize and clarify control expectations

Supplement has more specificity:

New expected minimum control levels

Certain controls no longer considered effective as primary

Since 2005, threats have become more sophisticated, effective, and malicious

Key Highlights of the Guidance Supplement

GuidanceAuthentication in an Internet Banking Environment

Layered Security

Different controls at different points so weakness in one compensated for by strengths in another

Agencies expect “layered security”

for all accounts

classified as “high‐risk”

under FFIEC guidance

a classic child’s toy illustrates very simply

the concept of layered security…

…they encounter a further layer

when a financial criminal moves beyond one layer of security…

layered security in the banking world…

“The institution with complementary layered technologies is akin to the house

with a high fence, a big guard dog in the yard, and a burglar alarm inside.

Source: Aite

Group, 2011

“The institution with complementary layered technologies is akin to the house

with a high fence, a big guard dog in the yard, and a burglar alarm inside.

This provides multiple opportunities to catch the bad guys in the act,

encourages the criminals to go in search of easier prey.”

Source: Aite

Group, 2011

Examples of Security Layers

the deeper the defense – the stronger the protection

tokens

the deeper the defense – the stronger the protection

customer education & awarenesscustomer

agreements secure browser plug-

inimage &

challenge questions

strong passwords

backend analytics

TMS fraud services

out of band authorization

associate education & awareness

commercial dual

controls

Security Layers

overt controls and invisible controls…

“When constructing a layered security program, strike a balance

between

overt controls

(such as stronger authentication practices) and invisible

controls

(such as fraud detection and monitoring).

Source: Bank Systems and Technology, 2011

“When constructing a layered security program, strike a balance

between

overt controls

(such as stronger authentication practices) and invisible

controls

(such as fraud detection and monitoring).

Flashing lights and alarms may work well to scare thieves away, but invisible

alarms that call the police are more effective at catching a thief.”

Source: Bank Systems and Technology, 2011

A Framework for Fraud Protection

A layered security system affords the best

protection, since no single layer is

sufficient

to stop determined bad actors

from penetrating enterprise systems.

Source: Gartner, 2011

1Endpoint‐Centric

Secure browsing, OOB authentication and transaction verification

Endpoint device identification, mobile location services

Layer 1

Navigation‐Centric

Analyzes session behavior and compares it to what is expected

Layer 2

User and Account‐Centric

for Specific Channel

Monitors and analyzes user and account behavior, and identifies anomalous behavior

Layer 3

User and Account‐Centric Across

Multiple Channels and Products

Monitors and analyzes user and account behavior across channels, and correlates alerts for each entity across channels and products

Layer 4

Pattern‐Based Intelligence

Enables the analysis of relationships among internal and/or external entities and their attributes (e.g., users, accounts, machines)

Layer 5

transaction‐level security…

“Creators of malware are innovative and nimble, and have proven to

be effective at compromising security strategies that do not

incorporate transaction‐level security.

Source: Aite

Group, 2011

Effective, efficient detection of anomalies, especially those related

to transaction activity, requires sophisticated behavior

analytics.

Source: Aite

Group, 2011

Effective, efficient detection of anomalies, especially those related

to transaction activity, requires sophisticated behavior

analytics.

The key to effective protection against sophisticated attacks is

transaction‐level security that can profile behavior

at the user level,

and can send alerts for out‐of‐pattern behavior.”

Source: Aite

Group, 2011

Corporate Account TakeoverThe Risk

Is A Reality

Source: Financial Times, 2012

Cyberthieves have cost US companies and their banks more than $15bn in the past five years, the Federal Deposit Insurance Corporation found in a recent study.

What is Corporate Account Takeover?

A fast growing electronic crimewhere thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the account(s)

Payments used to commit the crime:

Domestic and International Wire Transfers

Business‐to‐Business ACH Payments

Online Bill Pay

Electronic Payroll

Five Major Aspects of the Crime

Recruitment – Utilize Command & Control network to recruit Money Mules and target victim companies

Target – Small to midsized business and organizations

Infiltration – Attackers utilize numerous tactics to gain access to your network or computer, Banking Trojans

Exfiltration – Transferring electronic funds out of your account(s) through coordinated effort

Money Mules – Victims or Suspects/Money laundered

How the Takeover HappensCriminals target victims by scams

Victim unknowingly installs software by clicking on a link or visiting an infected Internet site

Fraudsters begin monitoring the accounts

Victim logs on to their Online Banking

Fraudsters collect login credentials

Fraudsters wait for the right time and then depending on your controls:

they either login after hours

or if you are using a token ‐

they wait until you enter

your code and then hijack the session and send you a

message that Online Banking is temporarily unavailable

Sample Corporate Account Takeovers and LossesPennsylvania School District ‐ $450,000New York School District ‐ $500,000Experi‐Metal ‐ $550,000PATCO ‐ $358,000Hillary Machinery ‐ $229,000Illinois Town ‐ $70,000Marian College ‐ $189,000Sand Springs School ‐ $80,000Sycamore County Schools ‐ $300,000Village View Escrow ‐ $465,000Catholic Diocese of Des Moines ‐ $600,000Town of Pittsford, NY ‐ $139,000Steuben Arcs ‐ $158,000St. Isidore’s Catholic Church ‐ $87,000Two Trucking Companies ‐ $115,000MECA ‐ $217,000

Source: ACH Alert

The FBI estimates Corporate Account Takeover could cost American companies as much as $1,000,000,000

in 2011 alone.

FBI currently investigating over 400 cases of corporate account takeovers in which criminals initiated unauthorized ACH and wire transfers from bank accounts of U.S. businesses.

In one 2011wire fraud case – Zeus Trojan and keylogging compromised businesses’ login credentials and wired $11million to China

Risk Management of

Corporate Account Takeover

Blueprint for a Risk Management FrameworkCorporate Account Takeover (CATO)

Three-Part Framework

Protect Implement processes and controls to protect the

financial institution and corporate customers.

Detect

Protect

Establish monitoring systems to detect

electronic theft and educate employees and

customers on how to detect a theft in progress.

Respond

Detect

Protect

Prepare to respond to an incident as

quickly as possible (measured in minutes,

not hours) to increase the chance of

recovering the money for your customer.

19 Recommended

Processesand

Controls

(outlined for each of the nineteen recommended processes and controls)

Best Practices

ExampleBest Practice

Educate bank employees of warning signs that a theft may be in progress.

Red Flags of a possible takeover

Configuration Changes to Cash Management/Online Banking Profiles

New user accounts added

New ACH batches or wire templates with new payees

Changes to personal information

Disabling or changing notifications

Changes to the online account access profile

Unusual Customer ActivityUnfamiliar IP log‐on address (especially if a foreign IP address)

Unusually small transaction amounts (example: $1.00 ACH, bill pay, or other transactions – especially if made at unusual time of day)

Unusual (non‐typical) transfer of funds, especially if out of the bank. One‐time bill pay to new payees

ACH or wires to new payees or receivers and/or with unusual amounts

Changes to the account and routing numbers of existing payees, not just a new payee name

Unusual timing of transactions (based on the established transaction schedule of the corporate customer or random transactions submitted between traditional transactions)

Larger than usual transactions

Overseas transfers

Full List of Best Practices

www.ectf.dob.texas.govSee “Recommendations”

Source: Ponemon

Institute, 2011

Survey results of 533

senior‐level executives in small

and medium businesses across the United States

Some Closing Thoughts to Ponder…

Startling Statistics

70% believe their banking institution is ultimately most responsible for ensuring their online accounts are secure

61% believe that only one successful fraud involving online bank accounts could destroy their trust

85% say they would transfer their business to another bank

Source: Ponemon

Institute, 2011

Online Banking Fraud

FFIEC’s Guidance on Authentication in an Internet Banking Environment

Rick MaltzExecutive Vice President & Chief Risk Officer

FFIEC –

Supplement to Authentication in an Internet Banking Environment (2011)

Clearly Places More Responsibility on Banks:

Requires annual risk assessments

Authentication consistent with the level of risk

Layered security must be considered

Must have practices to Detect & Respond to Suspicious Activity

Customer education & awareness

Why is this Important?

Is this your Risk Management Program?

Does your Bank want to lose money?

Do you think your customers care who’s fault it is?

Consumer Liability

Under existing regulations, the Consumer liability is extremely limited:

Generally $50, but may be $500 or unlimited if Bank is not notified timely

Visa/MasterCard, generally $0, if Bank is notified after 2 business days of discovery

Basically, the Bank eats it all!

Business Liability -

Under Uniform Commercial Code

For Internet transactions, the business is liable for unauthorized transfers, if:

The Bank can prove that the transaction was processed good faith, and

The Bank provided & complied with a commercially reasonable security procedures

Challenges to UCC standards

Banks are being sued for losses due to:

Failed or weak security practices

Ineffective monitoring

Should the car dealer be liable for this? If you…….

Get hurt because you decided not to wear your seatbelt?

Both the Bank & Business Can and Will Lose Money!

Threat Environment

Organized Global Crime

Criminals making investments in people & technology just like normal businesses

Sanctioned in some countries for economic benefit

Can be related to terrorist financing

Money Laundering key to successful fraud activities

Threat complexity is overwhelming traditional defenses

Criminals know that most small businesses don’t:

Always use Bank security features,Monitor & reconcile accounts, orHave resources to protect data & systems

Threat Environment

Threat Landscape

Fraud, Data Loss and Identity Theft continues to frustrate Banks & Customers

Traditional Threats:

Credential Theft by:

Phishing

Vishing

Smishing

Significant Threat: Malware

Malicious Software, designed to infiltrate a computer system without the owner’s informed consent

Malware Trends (Source: Symantec Intelligence Report )

Simple Email Statistics

(source: Symantec Intelligence Report –

February 2012 )

Estimated Total # of Global e-mail messages:

1.3 trillion messages in Feb 2012

43.1 billion email messages per day

which translates to:

Almost 500 million per second

Spam Email

February 2012)

If 68% of all e-mail was considered spam in February, then:

29.4 billion spam emails per day

339.7 million per second

Malicious Email

February 2012)

One in every 358 emails was a phishing scam

That’s over 120 million phishing emails per month or 4.2 million per day

One in every 274 emails contained Malware

That’s over

157 million emails with malware per month or 5.4 million per day

Threat: “Drive by E-mails”

Instant infection threat:

Infects users who simply view a message, or possibly just glance at it in a preview window

New generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware

Traditional defenses

are no longer effective by themselves:

Multi-Factor or Strong Authentication

Challenge Response Questions

Virus Protection, Firewalls

Why is compliance with the guidance important?

Because it makes sense!

What Can Banks Do?

Not Going to Work!

Leverage Current Investments

BSA/AML Analysts

Already reviewing data for suspicious activity

Trained to spot certain behavior

Investigations

Filing SARs

Fraud & Information Security Analysts

Already reviewing data for suspicious activity

Trained to spot certain behavior

Investigations

Filing SARs

Learn to Share Intelligence Internally

Leverage Personnel

Consolidate technology where practical

Wire & ACH Monitoring

Monitoring of log-on anomalies

Debit Card fraud

Check Fraud

Case Management & SAR filing

Leverage Technology Investments

Practice Defense

in Depth

Control: Out-of-Band Authentication

Enhanced Multi-Factor Authentication

1. User logs in with their Username and Password

Something you know

Control: Out-of-Band Authentication

Because of multi-factor authentication, fraudster can not independently loginto a user account.

• Fraudster would need to know username/password AND have the users phone. *

Login Code:

351073.

2. User is prompted to select channel for delivery of One Time Password (OTP)

Something you have *

Control: Transaction Verification

Transaction OTP requires a second individual to verify the EFT.

• In separate out of band channel, User sees transaction detail and amount• Unless verified with OTP, the EFT will not go through

Require secondary approval of transactions or key changes with OTP

Payment

To: Bob, Account #12345

Amount: $100.00

Access Code: 46548

Control: Callbacks

Bank will call to verify whether a transaction is authentic:

The call should go to someone other than the person who initiated the transaction

Call should be confirmed by a “PIN”

Callbacks

are effective as they provide true “out of band”

authentication.

They protect against both internal & external fraud

Control: Browser-based control

Control: Separation of Duties

By separating the capabilities in this way, you prevent a scenario

where one account can transfer funds independently.

Separation of Duties

Configure one account with permission initiate a funds transfer

Configure a secondary account to approve the transfer

User A initiates EFT User B approves EFT

Control: Separation of PCs

By isolating the PCs in this way, you reduce the risk that malware can infect

both machines and steal information

Use separate PCs

One PC to initiate a funds transfer

One PC to approve a funds transfer

Don’t allow other Internet ActivityUser A initiates EFT User B approves EFT

Control: Strong Passwords

A well-chosen password is easy to remember, but hard to guess.

Length: Minimum 8 characters

Complexity: Combination of mixed case letters, numbers, and special characters.

Periodically change password

Do not share passwords

A few of the common things to avoid in your password:

• User ID, family member or name, pet name, address, birth dates, SSN, account #, phone #

Control: Malware protection, Patching, and Firewalls

Firewalls limit the potential for unauthorized access to a network and computers

Anti Virus, Anti-Spyware •Install and ensure virus protection and security software are updated regularly

Patching •Ensure security patches are applied to both OS and applications (Microsoft, Adobe, Java, etc)

Firewall (Corporate & desktop)•Install a dedicated, actively managed firewall

Transaction Alerting• User makes a change

User is instantly alerted of change

Payee Added:

Bob, Account #12345

It is impossible to prevent attacks on insecure client PCs. TA exposes resultsof transactions to the user who then can take appropriate action

User is notified when important changes are made• If alerted of a change they did not make, users will naturally contact the FI

Look for event anomalies associated with:

Logon activityChanges in user profiles, customer setupIP addresses not associated with your corporationTransactions not consistent with customer’s behavior

Control: Monitor for Unusual Activity

Evaluate customer contracts:

Clearly define security proceduresDefine customer’s responsibilityProvide educational materialDo not allow “Opt Out”

Control: Customer Contracts

Educate your customers:

Prevention is a Partnership

Risk Problem – Van has rolled over the edge

Risk Solution – Lift it with a crane

Risk Monitoring: Going well so far……..

Ooooops……..New Risk Problem

Traditional Thinking – Get A Bigger Crane

Result of Traditional Thinking….Who cares!

If you continue to think inside of the box, you will lose $

Q&A• Locate the Q & A box on the bottom right hand corner of the WebEx platform.

• Type in your question and click send!

If you have suggestions for future web seminars or

additional questions for today’s experts, please send them to:training@acams.org

Thank you for joining us today!

ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security111

Next Web Seminar:AML Audit (Part I): Demystifying the AML Audit Discovery Phase—Preparing for the Pre-Visit

April 18, 2012 – Noon to 2:00 PM EDT

Each site license entitles registrant to one login: one phone...

Documents

Strength in Numbers - Verafin...Strength in Numbers Fighting Financial Crime with the Power of Cross-Institutional ... alert overload and destroying the efficiency these technologies

AFIL Brochure 20120411 CQ - Alliance Filaments Limited · Title: AFIL Brochure 20120411 CQ.cdr Created Date: 5/21/2012 3:06:38 PM

20120411 travelalliancemcguinnessfinal

The Importance of AML Model Governance and …files.acams.org/pdfs/2016/The_Importance_of_AML_Model...The Importance of AML Model Governance and Validation Introduction ... Introduction

Financial Inclusion, Developing Economies and …files.acams.org/pdfs/2016/Financial_Inclusion_Developing_Economies... · the Risk-Based Approach in AML/CTF: ... comprise a disproportionate

DETER, DETECT, DEFEAT! Understanding Digital Assets Related …files.acams.org/pdfs/2019/Nella_Zelensky_FCI_White_Paper.pdf · 2019-07-12 · 3. RISK ASSESSMENT 12 3.1 How Financial

วิสัยทัศน์ เป็นผู้นำ ...sandp.listedcompany.com/misc/AR/20120411-SANDP-AR2011.pdf · 07 mr. aviruth wongbuddhapitak นายอวิรุธ์

Movable type-seminar-20120411-ideamans

Exploring an Industry-Wide Standard to Customer Risk ...files.acams.org/pdfs/2017/Exploring_an_Industry_Wide_Standard_to... · Exploring an Industry-wide Standard to Customer Risk

SEARCHING TSUNAMI AFFECTED AREA BY INTEGRATING … › surveys › 20120411 › rsgdm › 0003905.pdf · 3.2. The 2010 tsunami in Chile Another implementation is conducted in Chile

20120411 Been Memorandum

Auditing Elder Financial Exploitation: Minding Your Own ...files.acams.org/pdfs/2017/Auditing_Elder_Financial_Exploitation_T.Sands.pdfAuditing Elder Financial Exploitation: Minding

The Enemy Within: Best Practices for Identifying and ...files.acams.org/materials/hollywood2017/4.3_4.50PM_Professional Dev... · The Enemy Within: Best Practices for Identifying

Unesco hk 20120411

Optimization of Technology to Meet Regulatory …files.acams.org/pdfs/2016/Optimization-of-Technology-to-Meet.pdf · Optimization of Technology to Meet Regulatory ... • Corporate

CannaBanking: Cultivating a Culture of Compliance …files.acams.org/pdfs/2017/CannaBanking_Cultivating_a_Culture_of... · CannaBanking: Cultivating a Culture of Compliance ... CannaBanking:

20120411 Russell Sage DeLong Paper

Beneficial Ownership: Practical Applications for Stronger ...files.acams.org/webcasts/20110407/Beneficial Ownership- Practical... · Beneficial Ownership: Practical Applications for

PRODUCT REFERENCE GUIDE ADVANCED WOUND CAREsystagenix.ca/media/originals/20120411-134410-6176.pdf · PRODUCT REFERENCE GUIDE ADVANCED WOUND CARE. 2 — Introduction SYSTAGENIX This

2019 CUNA GAC FLOOR PLAN - expocadweb.comVideo Cloud State National Payveris QwickRate Financial Supermarkets Alogent Inc Source Technologies Share One Inc Verafin CUNA ... Q2 van