Each site license entitles registrant to one login: one phone …files.acams.org/webcasts/20120411/Verafin FFIEC - Online... · 2012-04-10 · analytics. The key to effective protection

www2.acams.org/webinars

ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security

COPYRIGHT NOTICE – USE OF WEBEX LOGIN/PASSWORD FOR ACAMS WEB SEMINARS

Each site license entitles registrant to one login: one phone connection (if accessing audio via teleconference) and one Internet connection for simultaneous Webcast, in

one room where an unlimited number of listeners may participate.

Providing your login instructions and password to another for their use, using your login ID/password more than once, or any simultaneous or delayed transmission,

broadcast, re-transmission or re-broadcast of this event to additional sites/rooms by any means (including but not limited to the use of telephone conferencing services or a conference bridge, whether external or owned by the registrant) or recording is a

violation of U.S. copyright law and is strictly prohibited.



Technical Assistance • Send a message via the Q & A box• Or Call WebEx Technical Support:

(US & Canada) 866-229-3239 (International) 916-229-3239

Attendee instructions on how to use Audio Broadcast • Do not close the Audio Broadcast panel• If you are not able to listen to the audio on your computer speakers, press the stop button, wait 5 seconds then press play. • Make sure to adjust the volume button on your computer speakers and also adjust the volume on your sound card. To do

this, go to the Start Menu, click Control Panel, then click Sound & Audio Devices and adjust accordingly.• If you do not have speakers, please refer to your login instructions for the Teleconference Domestic and International

Numbers and Access Code.• You may request the Teleconference Number by clicking “Request” under the attendee box on your left hand side.



Welcome to Today’s ACAMS Web Seminar

ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered

Security

April 11, 201212:00 Noon– 1:00 PM EDT

A sound check will be performed 5 minutes before the start time.



• Can you hear the sound check? • It has begun



To send a question:

• Locate the Q & A box on the bottom right hand corner of the WebEx platform.

• Type in your question and click send!



ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered

Security



Today’s Presenters



Co‐founded Verafin (BSA/AML Compliance & Fraud Detection software company) in 2003

Frequent speaker at industry conferences and key presenter for Verafin’s anti‐financial crime thought leadership webinar series

Verafin has more then 800 financial institution customers across North America

BRENDAN BROTHERSCo‐FounderVerafin



Rick has over 29 years of experience in Banking, specializing in Risk Management, Information Security, Operations, Compliance and Internal Audit.

Has been with Bangor Savings Bank for 13 years

Oversees enterprise risk management, information & physical security, fraud management, compliance, BSA, credit policy, loan review, real estate valuation and legal

RICK MALTZExecutive Vice President & Chief Risk OfficerBangor Savings Bank


ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s

Guidance for Layered Security


Today’s Agenda:

FFIEC Guidance on Internet Banking

Layered Security

Corporate Account Take Over

Processes, Controls & Best Practices to Combat Online Account Takeover


Overview of Changes in 2011 Supplement

Guidance

2011

Authentication in an Internet Banking Environment

2005


Small and midsize businesses are frequent targets

Despite expectation for periodic risk assessments, examiners reported that some FIs have not done so

Agencies needed to reemphasize and clarify control expectations

Supplement has more specificity:

New expected minimum control levels

Certain controls no longer considered effective as primary

Since 2005, threats have become more sophisticated, effective, and malicious


Key Highlights of the Guidance Supplement

GuidanceAuthentication in an Internet Banking Environment


Layered Security

Different controls at different points so weakness in one compensated for by strengths in another

Agencies expect “layered security”

for all accounts

classified as “high‐risk”

under FFIEC guidance


a classic child’s toy illustrates very simply

the concept of layered security…


…they encounter a further layer

when a financial criminal moves beyond one layer of security…


layered security in the banking world…



“The institution with complementary layered technologies is akin to the house

with a high fence, a big guard dog in the yard, and a burglar alarm inside.

Source: Aite

Group, 2011



“The institution with complementary layered technologies is akin to the house

with a high fence, a big guard dog in the yard, and a burglar alarm inside.

This provides multiple opportunities to catch the bad guys in the act,

and

encourages the criminals to go in search of easier prey.”

Source: Aite

Group, 2011


Examples of Security Layers

the deeper the defense – the stronger the protection


tokens

the deeper the defense – the stronger the protection

customer education & awarenesscustomer

agreements secure browser plug-

inimage &

challenge questions

strong passwords

backend analytics

TMS fraud services

out of band authorization

associate education & awareness

commercial dual

controls

Security Layers


overt controls and invisible controls…


“When constructing a layered security program, strike a balance

between

overt controls

(such as stronger authentication practices) and invisible

controls

(such as fraud detection and monitoring).


Source: Bank Systems and Technology, 2011


“When constructing a layered security program, strike a balance

between

overt controls

(such as stronger authentication practices) and invisible

controls

(such as fraud detection and monitoring).

Flashing lights and alarms may work well to scare thieves away, but invisible

alarms that call the police are more effective at catching a thief.”


Source: Bank Systems and Technology, 2011


A Framework for Fraud Protection

A layered security system affords the best

protection, since no single layer is

sufficient

to stop determined bad actors

from penetrating enterprise systems.

Source: Gartner, 2011


1Endpoint‐Centric

Secure browsing, OOB authentication and transaction verification

Endpoint device identification, mobile location services

Layer 1



1

2

Navigation‐Centric

Analyzes session behavior and compares it to what is expected

Layer 2



1

2 3

User and Account‐Centric

for Specific Channel

Monitors and analyzes user and account behavior, and identifies anomalous behavior

Layer 3



1

2 34

User and Account‐Centric Across

Multiple Channels and Products

Monitors and analyzes user and account behavior across channels, and correlates alerts for each entity across channels and products

Layer 4



1

2 34

5

Pattern‐Based Intelligence

Enables the analysis of relationships among internal and/or external entities and their attributes (e.g., users, accounts, machines)

Layer 5



transaction‐level security…


“Creators of malware are innovative and nimble, and have proven to

be effective at compromising security strategies that do not

incorporate transaction‐level security.


Source: Aite

Group, 2011





Effective, efficient detection of anomalies, especially those related

to transaction activity, requires sophisticated behavior

analytics.


Source: Aite

Group, 2011





Effective, efficient detection of anomalies, especially those related

to transaction activity, requires sophisticated behavior

analytics.

The key to effective protection against sophisticated attacks is

transaction‐level security that can profile behavior

at the user level,

and can send alerts for out‐of‐pattern behavior.”


Source: Aite

Group, 2011


Corporate Account TakeoverThe Risk

Is A Reality


Source: Financial Times, 2012

Cyberthieves have cost US companies and their banks more than $15bn in the past five years, the Federal Deposit Insurance Corporation found in a recent study.


What is Corporate Account Takeover?

A fast growing electronic crimewhere thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the account(s)

Payments used to commit the crime:

•

Domestic and International Wire Transfers

•

Business‐to‐Business ACH Payments

•

Online Bill Pay

•

Electronic Payroll


Five Major Aspects of the Crime

Recruitment – Utilize Command & Control network to recruit Money Mules and target victim companies

Target – Small to midsized business and organizations

Infiltration – Attackers utilize numerous tactics to gain access to your network or computer, Banking Trojans

Exfiltration – Transferring electronic funds out of your account(s) through coordinated effort

Money Mules – Victims or Suspects/Money laundered


How the Takeover HappensCriminals target victims by scams

Victim unknowingly installs software by clicking on a link or visiting an infected Internet site

Fraudsters begin monitoring the accounts

Victim logs on to their Online Banking

Fraudsters collect login credentials

Fraudsters wait for the right time and then depending on your controls:

•

they either login after hours

•

or if you are using a token ‐

they wait until you enter

your code and then hijack the session and send you a

message that Online Banking is temporarily unavailable


Sample Corporate Account Takeovers and LossesPennsylvania School District ‐ $450,000New York School District ‐ $500,000Experi‐Metal ‐ $550,000PATCO ‐ $358,000Hillary Machinery ‐ $229,000Illinois Town ‐ $70,000Marian College ‐ $189,000Sand Springs School ‐ $80,000Sycamore County Schools ‐ $300,000Village View Escrow ‐ $465,000Catholic Diocese of Des Moines ‐ $600,000Town of Pittsford, NY ‐ $139,000Steuben Arcs ‐ $158,000St. Isidore’s Catholic Church ‐ $87,000Two Trucking Companies ‐ $115,000MECA ‐ $217,000


Source: ACH Alert

The FBI estimates Corporate Account Takeover could cost American companies as much as $1,000,000,000

in 2011 alone.

FBI currently investigating over 400 cases of corporate account takeovers in which criminals initiated unauthorized ACH and wire transfers from bank accounts of U.S. businesses.

In one 2011wire fraud case – Zeus Trojan and keylogging compromised businesses’ login credentials and wired $11million to China


Risk Management of

Corporate Account Takeover


Blueprint for a Risk Management FrameworkCorporate Account Takeover (CATO)


CATO

Three-Part Framework


CATO

Protect Implement processes and controls to protect the

financial institution and corporate customers.


Detect

Protect

Establish monitoring systems to detect

electronic theft and educate employees and

customers on how to detect a theft in progress.

CATO


Respond

Detect

Protect

Prepare to respond to an incident as

quickly as possible (measured in minutes,

not hours) to increase the chance of

recovering the money for your customer.

CATO


19 Recommended

Processesand

Controls


(outlined for each of the nineteen recommended processes and controls)

Best Practices


ExampleBest Practice

Educate bank employees of warning signs that a theft may be in progress.

Red Flags of a possible takeover


Configuration Changes to Cash Management/Online Banking Profiles

New user accounts added

New ACH batches or wire templates with new payees

Changes to personal information

Disabling or changing notifications

Changes to the online account access profile


Unusual Customer ActivityUnfamiliar IP log‐on address (especially if a foreign IP address)

Unusually small transaction amounts (example: $1.00 ACH, bill pay, or other transactions – especially if made at unusual time of day)

Unusual (non‐typical) transfer of funds, especially if out of the bank. One‐time bill pay to new payees

ACH or wires to new payees or receivers and/or with unusual amounts

Changes to the account and routing numbers of existing payees, not just a new payee name

Unusual timing of transactions (based on the established transaction schedule of the corporate customer or random transactions submitted between traditional transactions)

Larger than usual transactions

Overseas transfers


Full List of Best Practices

www.ectf.dob.texas.govSee “Recommendations”

http://www.ectf.dob.texas.gov/


Source: Ponemon

Institute, 2011

Survey results of 533

senior‐level executives in small

and medium businesses across the United States

Some Closing Thoughts to Ponder…


Startling Statistics

70% believe their banking institution is ultimately most responsible for ensuring their online accounts are secure

61% believe that only one successful fraud involving online bank accounts could destroy their trust

85% say they would transfer their business to another bank

Source: Ponemon

Institute, 2011


Online Banking Fraud

FFIEC’s Guidance on Authentication in an Internet Banking Environment

Rick MaltzExecutive Vice President & Chief Risk Officer


FFIEC –

Supplement to Authentication in an Internet Banking Environment (2011)

Clearly Places More Responsibility on Banks:

Requires annual risk assessments

Authentication consistent with the level of risk

Layered security must be considered

Must have practices to Detect & Respond to Suspicious Activity

Customer education & awareness


Why is this Important?


Is this your Risk Management Program?


Does your Bank want to lose money?


Do you think your customers care who’s fault it is?


Consumer Liability

Under existing regulations, the Consumer liability is extremely limited:

Generally $50, but may be $500 or unlimited if Bank is not notified timely

Visa/MasterCard, generally $0, if Bank is notified after 2 business days of discovery

Basically, the Bank eats it all!


Business Liability -

Under Uniform Commercial Code

For Internet transactions, the business is liable for unauthorized transfers, if:

The Bank can prove that the transaction was processed good faith, and

The Bank provided & complied with a commercially reasonable security procedures


Challenges to UCC standards

Banks are being sued for losses due to:

Failed or weak security practices

Ineffective monitoring


Should the car dealer be liable for this? If you…….


Get hurt because you decided not to wear your seatbelt?


Both the Bank & Business Can and Will Lose Money!


Threat Environment

Organized Global Crime

Criminals making investments in people & technology just like normal businesses

Sanctioned in some countries for economic benefit

Can be related to terrorist financing

Money Laundering key to successful fraud activities

Threat complexity is overwhelming traditional defenses


Criminals know that most small businesses don’t:

Always use Bank security features,Monitor & reconcile accounts, orHave resources to protect data & systems

Threat Environment


Threat Landscape


Fraud, Data Loss and Identity Theft continues to frustrate Banks & Customers


Traditional Threats:

Credential Theft by:

Phishing

Vishing

Smishing


Significant Threat: Malware

Malicious Software, designed to infiltrate a computer system without the owner’s informed consent


Malware Trends (Source: Symantec Intelligence Report )


Simple Email Statistics

(source: Symantec Intelligence Report –

February 2012 )

Estimated Total # of Global e-mail messages:

1.3 trillion messages in Feb 2012

or

43.1 billion email messages per day

which translates to:

Almost 500 million per second


Spam Email


February 2012)

If 68% of all e-mail was considered spam in February, then:

29.4 billion spam emails per day

or

339.7 million per second


Malicious Email


February 2012)

One in every 358 emails was a phishing scam

That’s over 120 million phishing emails per month or 4.2 million per day

One in every 274 emails contained Malware

That’s over

157 million emails with malware per month or 5.4 million per day


Threat: “Drive by E-mails”

Instant infection threat:

Infects users who simply view a message, or possibly just glance at it in a preview window

New generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware


Traditional defenses

are no longer effective by themselves:

Multi-Factor or Strong Authentication

Challenge Response Questions

Virus Protection, Firewalls


Why is compliance with the guidance important?

Because it makes sense!


What Can Banks Do?


Not Going to Work!


Leverage Current Investments


BSA/AML Analysts

•

Already reviewing data for suspicious activity

•

Trained to spot certain behavior

•

Investigations

•

Filing SARs

Fraud & Information Security Analysts

•

Already reviewing data for suspicious activity

•

Trained to spot certain behavior

•

Investigations

•

Filing SARs

Learn to Share Intelligence Internally

Leverage Personnel


Consolidate technology where practical

•

Wire & ACH Monitoring

•

Monitoring of log-on anomalies

•

AML

•

Debit Card fraud

•

Check Fraud

•

Case Management & SAR filing

Leverage Technology Investments


Practice Defense

in Depth


Control: Out-of-Band Authentication

Enhanced Multi-Factor Authentication

1. User logs in with their Username and Password

Something you know


Control: Out-of-Band Authentication

Because of multi-factor authentication, fraudster can not independently loginto a user account.

• Fraudster would need to know username/password AND have the users phone. *

Login Code:

351073.

2. User is prompted to select channel for delivery of One Time Password (OTP)

Something you have *


Control: Transaction Verification

Transaction OTP requires a second individual to verify the EFT.

• In separate out of band channel, User sees transaction detail and amount• Unless verified with OTP, the EFT will not go through

Require secondary approval of transactions or key changes with OTP

Payment

To: Bob, Account #12345

Amount: $100.00

Access Code: 46548


Control: Callbacks

Bank will call to verify whether a transaction is authentic:

The call should go to someone other than the person who initiated the transaction

Call should be confirmed by a “PIN”

Callbacks

are effective as they provide true “out of band”

authentication.

They protect against both internal & external fraud


Control: Browser-based control


Control: Separation of Duties

By separating the capabilities in this way, you prevent a scenario

where one account can transfer funds independently.

Separation of Duties

Configure one account with permission initiate a funds transfer

Configure a secondary account to approve the transfer

User A initiates EFT User B approves EFT


Control: Separation of PCs

By isolating the PCs in this way, you reduce the risk that malware can infect

both machines and steal information

Use separate PCs

One PC to initiate a funds transfer

One PC to approve a funds transfer

Don’t allow other Internet ActivityUser A initiates EFT User B approves EFT


Control: Strong Passwords

A well-chosen password is easy to remember, but hard to guess.

Length: Minimum 8 characters

Complexity: Combination of mixed case letters, numbers, and special characters.

Periodically change password

Do not share passwords

A few of the common things to avoid in your password:

• User ID, family member or name, pet name, address, birth dates, SSN, account #, phone #


Control: Malware protection, Patching, and Firewalls

Firewalls limit the potential for unauthorized access to a network and computers

Anti Virus, Anti-Spyware •Install and ensure virus protection and security software are updated regularly

Patching •Ensure security patches are applied to both OS and applications (Microsoft, Adobe, Java, etc)

Firewall (Corporate & desktop)•Install a dedicated, actively managed firewall


Transaction Alerting• User makes a change

−

User is instantly alerted of change

Payee Added:

Bob, Account #12345

It is impossible to prevent attacks on insecure client PCs. TA exposes resultsof transactions to the user who then can take appropriate action

User is notified when important changes are made• If alerted of a change they did not make, users will naturally contact the FI


Look for event anomalies associated with:

Logon activityChanges in user profiles, customer setupIP addresses not associated with your corporationTransactions not consistent with customer’s behavior

Control: Monitor for Unusual Activity


Evaluate customer contracts:

Clearly define security proceduresDefine customer’s responsibilityProvide educational materialDo not allow “Opt Out”

Control: Customer Contracts


Educate your customers:

Prevention is a Partnership


Risk Problem – Van has rolled over the edge


Risk Solution – Lift it with a crane


Risk Monitoring: Going well so far……..


Ooooops……..New Risk Problem


Traditional Thinking – Get A Bigger Crane


Result of Traditional Thinking….Who cares!


If you continue to think inside of the box, you will lose $




Q&A• Locate the Q & A box on the bottom right hand corner of the WebEx platform.

• Type in your question and click send!



If you have suggestions for future web seminars or

additional questions for today’s experts, please send them to:[email protected]

Thank you for joining us today!

mailto:[email protected]


ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security111

Next Web Seminar:AML Audit (Part I): Demystifying the AML Audit Discovery Phase—Preparing for the Pre-Visit

April 18, 2012 – Noon to 2:00 PM EDT

Documents

Each site license entitles registrant to one login: one phone …files.acams.org/webcasts/20120411/Verafin FFIEC - Online... · 2012-04-10 · analytics. The key to effective protection