CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © 2014 CUNA Mutual Group, All Rights Reserved.

Electronic Payment Trends & RisksCoastal Supervisory Committee and

Internal Auditor Conference

Presented by: Ken OtsukaBusiness Protection Risk Management

CUNA Mutual Group

2

Electronic Payment Trends

• In the beginning, there was online banking-Members use a desktop or laptop to access their credit union accounts via

the Internet-Uses generally include:Account inquiriesE-statementsBill payAccount-to-account (A2A) transfer serviceCross-member transfers

• Then came mobile banking-Members use mobile devices to access their credit union accounts-Same uses as online banking

• Next on the horizon – mobile payments

3

Agenda

• Overview of account takeovers through online banking

• Mobile banking risks

• Mobile payments – the future

• ACH debit origination

4

Online Banking

5

Online Banking - Assault on Authentication

• Significant increase in account takeovers via online banking systems– Started in 2007– Business accounts have been primary targets

• More money to steal• Often associated with the money mule scam

– Consumer accounts hit as well• Cyber thieves use bill pay, Automated

Clearing House transfers (ACH) or wire feature to transfer funds to accounts at other institutions

• Account takeovers of member accounts at credit unions are escalating

What are money mules?• “Money mules” are people recruited to

assist in the laundering of stolen funds. Many money mules are not aware they are being used to commit fraud.

• Fraudsters typically find people (victims) to serve as money mules by searching websites where job seekers post their resume.

• The victims are contacted by the fraudsters who generally offer “work from home” opportunities as a “payment processor” or similar position. Upon being hired, the money mules receive transfers into their deposit account from the fraudsters with instructions to transfer most of the funds to an account at another financial institution. The money mules keep a portion of the funds as compensation.

6

Starts with a Phishing Attack

• Banking Trojans (malware) distributed in phishing attacks– Keylogging feature steals online banking

login credentials• Spear phishing

– Targets select group of employees at the same company

– Phishing emails sent to select employees at a company

• Whale phishing– Targets a company’s top executives

7

Banking TrojansMan-in-the-Browser (MITB) Attacks

• User’s web browser infected with banking Trojan (e.g., Zeus)• Toolkit feature allows cyber thieves to target specific online banking web

sites– 100’s of online banking websites can be programmed into MITB

• Automated scripts built into toolkit– Navigating the website– Executing transactions

• Receives updates from command and control center• Awakens when user visits a targeted online banking site• “Piggybacks” on the user’s online banking session

MITBs are completely automated

8

Man-in-the-Browser (MITB) Attacks

• Modifies actions of user in real-time– Transaction entered by user is modified by MITB– Dollar amount of transaction and destination account are changed without user’s

knowledge

• Can work independently of user– Web injection to create pop-up window– “Website under maintenance – please wait”– MITB empties account

9

MITB Overwrites User’s Transaction

Funds TransferAvailable balance: $38,975.00

From account: Jim (456789)

Transfer amount: $400.00

Destination institution: ABC Credit Union

Destination account: Tom (123456)

Funds TransferAvailable balance: $38,975.00

From account: Jim (456789)

Transfer amount: $10,000

Destination institution: XYZ Bank

Destination account: Bill (321654)

Submit Cancel Submit Cancel

Transaction as it appears in the user’s

browser

Transaction initiated by MITB

This illustration is created for educational purposes only

10

MITB Attacks and Money Mules

Cyber crook Password stealing Trojan sent as email attachment or link to infected website

User logs into online banking system.

Trojan wakes up when targeted online banking website(s) visited.

User enters transfers (ACH or wires).

MITB overwrites user’s transaction changing dollar amounts and destination accounts.

Funds are sent to the money mules or to fund prepaid cards.

Mules withdraw money and wire to cyber crooks.

For educational purposes only

OR, web inject to create pop-up window: “Website under maintenance –please wait.”Trojan empties account.

11

Authentication Options

• Something you know– Password– Answers to challenge questions

• Something you have– IP Address (pc recognition)– USB token– Smart card– Password-generating token

• Something you are– Biometrics

Man-in-the-browser (MITB) Attacks have rendered what were once considered

strong multifactor authentication methods ineffective

12

Layered Security Controls

• Real-time fraud monitoring solution with behavioral analytics*• Out-of-band authentication• Out-of-band transaction verification without transaction details• Out-of-band transaction verification with transaction details*• Monetary and frequency limits• Enhanced controls over account maintenance changes initiated by customers through

the online banking channel or through the call center• Administrative function capabilities for business online banking• Techniques to limit the use of the account – such as ACH debit blocks• Restrictions on the days and hours of access• Internet Protocol (IP) reputation-based tools to block connection to online banking

servers from IP addresses known or suspected to be associated with fraudulent activities

* Can defend against MITB attacks

13

Mobile Banking

14

Mobile Banking Risks / Risk Mitigation

Short Message Service (SMS)

Risks:• No guarantee the message sent will

be received• Messages sent in clear text format –

no end-to-end protection (messages not encrypted)

Risk Mitigation:• Should not be used for transfers to 3rd

parties• Text messages should not contain

account numbers or other sensitive information

Wireless Access Protocol (WAP) / Browser-based web enabled device

Risks:• Risks are similar to online banking- Session hijacking (man-in-the-

browser)• Lost/stolen devices• Login credentials stored on device

Risk Mitigation:• Multifactor authentication• Layered security controls

Smartphone / Tablet

Risks:• Members may inadvertently

download apps containing malware• Lost/stolen devices• Login credentials stored on device

Risk Mitigation:• Download only “signed” applications

from a trusted source (e.g., credit union’s website)

• Multifactor authentication• Layered security controls

15

Mobile Malware: Man-in-the-Mobile (MITMO)

• Mobile malware– Example: Zitmo (Zeus-in-the-Mobile)

• Defeats out-of-band authentication / transaction verification utilizing transaction authorization number (TAN)

• Steals TANs sent by financial institutions to users via SMS text messages as part of the institution’s out-of-band process for logging into accounts through online banking / verifying transactions initiated by users

• Starts with infecting personal computer with banking Trojan (e.g., Zeus)

• User logs into account using personal computer– MITMO wakes up because it’s a targeted online

banking website• MITMO injects Hypertext Markup Language

(HTML) code– Popup box appears in user’s browser– Requests mobile vendor, model and phone number– Device information returned to fraudster

• Fraudster sends SMS text message to user– User instructed to download an update for the

device – link is provided– Malicious application installed on the device

• User initiates large dollar transaction• Institution sends TAN via SMS text message to

user to authenticate transaction• MITMO forwards the message to the fraudster

What is MITMO? How does it work?

16

Zeus-in-the-Mobile (Zitmo)Cyber crook

Sends phishing email with attachment

containing Zitmo / link to infected

website.User’s computer

infected with Zitmo.

Zitmo injects

HTML codeZitmo wakes up when

targeted online banking website is visited

Popup Window:Please provide information on your mobile device.Mobile device make :Mobile number :

User enters large $ transfers – ACH or wires.

Command & Control

Center

User’s mobile phone infected

with Zitmo

Online banking website

User’s mobile phone information returned to cyber

crook

1 2

3

Cyber crook sends SMS to user to click on link to complete security upgrade on their mobile phone

4Transaction

Authorization Number (TAN) sent via SMS

5

7

Zitmo forwards TAN to cyber crook

8

6

Cyber crook is now in a position to hijack the user’s online banking sessions to

steal funds

9

17

Mobile Payments

18

Mobile Payments versus Mobile Banking

• Mobile payments are payments made to others initiated with a mobile device

• Mobile banking involves financial institution accountholders accessing their accounts held at the institution allowing them to check balances and to initiate transfers from their accounts to other parties

19

Regulatory & Security Issues

Regulatory Issues• Mobile payments offered by

non-financial institutions creates uncertainty on whether existing consumer protection laws apply- Funding source linked to prepaid

account held by MPSPs• CFPB issued proposed amendment

to Regulation E in November 2014 extended protections to mobile payments linked to a prepaid account held at MPSPs

- Funding source linked to user’s wireless bill by MNOs

Security Issues• The security and confidentiality

for the transmission, storage of payment instructions and the personal financial information of users

20

Mobile Payments and Consumer Protection Laws

Business Model

Funding Source / Transaction Flow Regulatory Considerations

Financial Institution

• Funding source is a checking account or credit card account held at the financial institution

• Transactions flow through traditional payment networks/channels.

• Existing consumer protection laws apply- Reg E when funding source is checking account- Reg Z when funding source is a credit card or

other line of credit

Mobile Payment Service Provider (MPSP)

• Funding source could be a prepaid account held at MPSP- Transactions flow through MPSP’s proprietary

network

• Existing consumer protection laws (Reg E) do not apply to prepaid accounts

• CFPB issued proposed amendment to Reg E that would extend consumer protections to mobile payments linked to a prepaid account held by MPSPs

• Funding source could be a checking account or credit card account held at financial institution- Transactions flow through traditional payment

networks/channels

• If the funding source for the transaction is a checking account or credit card, existing consumer protection laws apply- Reg E when funding source is checking account- Reg Z when funding source is a credit card or

other line of credit

Mobile NetworkProvider (MNO)

• Funding source is user’s billing account with MNO• Transactions flow through the MNO’s mobile

network and the user’s wireless bill is charged for the amount of the transactions.

• Existing consumer protection laws (Reg E and Reg Z) do not apply when the mobile payment transactions are charged to the user’s wireless billing account

21

What are the Risks?

Risk Risk Mitigation Comments

Lost/stolen devices • Member education• Deploy remote wipe capability (may

require separate application)• Password protect device• Use mobile payment application’s

password feature

• Apple Pay Touch ID (fingerprint) secures the device – reducing the risk of fraud from lost/stolen device.

• Expect to see more providers using biometrics for securing mobile devices/mobile payments software/applications

Malware/viruses • Mobile antivirus/antimalware protection

• May not be available for all device types

Malicious applications

• Member education• Download applications from trusted

source

• Applications may be infected with malware

Jailbreaking the device

• Member education • Jailbreaking may disable important security features on the device

Fraud monitoring tools

• Fraud monitoring solution (real-time) to detect/prevent fraudulent transactions

22

Apple Pay Solves Security Issues?

• Apple Pay provides desired security– Uses NFC technology– Activated via Touch ID– Account numbers are not stored on the device

• Unique Device Account Number is assigned, encrypted and stored in the secure element of iPhone

– Each transaction is authorized with a one-time unique number using the Device Account Number and a dynamic security code is created to validate the transaction

Tokenization removes the 16-digit card number from the equation.

23

ACH Debit OriginationCredit Risk

24

ACH Debit RiskAccount-to-Account (A2A) Transfer Service

• Dishonest member uses A2A feature to initiate ACH debits against accounts at other institutions to “pull” funds into his/her credit union account for deposit (ACH deposit)

• Credit union is considered the Originating Depository Financial Institution (ODFI)– As ODFI credit unions warrant that the ACH

debits are properly authorized

• Other institutions have up to 60 days to return the ACH debits to the credit union if accountholders claim they are unauthorized

• Credit risk created by ACH debits is uninsurable

A2A is a payment type frequently offered with online/mobile banking

25

ACH Debit RiskAccount-to-Account (A2A) Transfer Service

• Understand credit risk associated with ACH debits originated by the credit union

• Conduct due diligence on members to qualify them for A2A

• Establish monetary and frequency limits

• Trial deposits– Not fool proof

Mitigating the credit risk associated with ACH debits

26

ACH Debit RiskCredit Card Booster Payments via ACH

• Members make fraudulent payments on credit union-issued credit cards via ACH– Funds are pulled from accounts at other institutions– Payments often exceed the balance

• Credit unions are considered the originating depository financial institution (ODFI)

• Credit risk associated with ACH debits is uninsurable

Booster payments via ACH on a single card could easily result in a six-figure loss

27

Summary

• The use of electronic transactions via online banking/mobile banking is growing by leaps and bounds

• Account takeovers can damage your reputation

• Understand the risks associated with mobile payments

• Understand the credit risk associated with originating ACH debits

28

Questions & Answers

Ken Otsuka, CPASenior Consultant - Risk ManagementCUNA Mutual GroupEmail: kenneth.otsuka@cunamutual.com

29

Disclaimer

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond.

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMISInsurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability maybe underwritten by Beazley Insurance Group.

This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.

CUPRM-894560.1-0414-0516 ©CUNA Mutual Group 2014, All Rights Reserved.

30