0 Here Phishy, Phishy… Don’t Take the Bait Protect your Company from Payment Fraud James Emerson...
-
Upload
bruno-gibson -
Category
Documents
-
view
218 -
download
0
Transcript of 0 Here Phishy, Phishy… Don’t Take the Bait Protect your Company from Payment Fraud James Emerson...
1
Here Phishy, Phishy… Don’t Take the Bait
Protect your Company from Payment Fraud
James EmersonVice President-ControllerU. S. Risk Insurance Group, Inc.
Steven BullittAssistant to Special Agentin ChargeUnited States Secret Service
Neal BakerSenior Vice President Director of Corporate Securityand Fraud InvestigationsTexas Capital Bank
Moderator: Duane ReavesTreasury & Liquidity SolutionsTexas Capital Bank
2
Agenda
Introduction of Panelists
Key Messages
Setting the Stage
Magnitude of the Problem
Zeus Bot Confidential
Into the Deep-Panelists’ Experiences
Protections and Recommendations
Terms
Q&A
3
Key Message
Fraud is here to stay…whether it internal, external, electronic or paper-based… it is worse than you thought Prevention is not just about utilizing the latest technology
but involves an active application of common sense
Cybercrime looks like a business, walks like a business, talks like a business and the opponents are intelligent and nimble
No organization is immune from internal or external fraud
Check fraud is still rampant; ACH fraud is on the rise with more corporations moving to electronic payments and cyber fraud has only begun
4
Background
Cybercrime is widespread and mainstream… Velocity of business account takeover is increasing
Thousands of strains of malware are delivered at a rate outpacing the ability for anti-virus software to mitigate threats on a real time basis
Cyber attacks are costly with an average cost of $18k per day with a median cost per company of $3.8 million annually
Cybercrime is a $70 billion industry in the U.S. with a dedicated career-minded “workforce” forming a underground economy
Zeus Trojan infiltration spans 196 countries with an estimated 3.6 million infected computers in the U.S. alone and has already infected virtual cloud computing networks
Social networking is tipping the knowledge scale in favor of the “phishers”
5
Background
Names in cyber news… In 2009, 74,000 FTP accounts on websites of companies such
as NASA, Monster, ABC, Oracle, Cisco, Amazon and BusinessWeek were compromised
Zeus has sent out over 1.5 million phishing messages on Facebook
Zeus has spread emails purporting to be from major corporations such as the instance of nine million from Verizon Wireless alone
6
Background
Not to be outdone non-electronic payment fraud is also a thriving business… Over 90% of all attempted payment fraud today still involves
checks
Counterfeit checks using the organization’s MICR line data is the most prevalent form of check fraud
Altered payee names on checks also ranks very high in the incidence of fraud
Altered employee pay checks also scores as the third most prevalent form of check fraud
7
Magnitude of the Problem
You know things are bad when… There are 93 Computer Crime Task Forces in United States
alone
The FBI had a major cyber fraud takedown called Operation Phish Phry
We now have a National Cyber Security Awareness Month
The Electronic Crimes Task Force of the U.S. Secret Service has been in existence now for 16 years
8
Threat Environment
Nu
mb
er o
f Incid
en
ts
Fewer
Many
Fewer Higher
Higher
Greater
Level o
f Sop
his
ticatio
n
LesserLesserLowerMore
Kn
ow
n M
itigate
s
Barrie
rs to
En
try
Pay-o
ff
Man-in-the Browser with
Zeus Bot
Phishing
Whaling
USPS and Lockbox Check
Theft
Hobbyists/Cyber Vandals
Hired Hackers for Corporate Espionage
Rogue Employees
Terrorists
Organized Cyber Crime Rings
Organized Crime Rings
Internal theft
Coordinated Attacks
HybridWorms
VirusesACH Kiting
Counterfeitand Altered Checks
9
Zeus Bot Confidential
Zeus is available for purchase in underground forums for $700
$4000 buys the latest version and there are published “going rates” for an array of fraudulent services
You can get it for free, if you don’t mind pirating software...and what hacker does?
Software incorporates copy protection mechanisms to attempt to prevent piracy, thus illustrating the intent of the organization to run as a “business”
Zeus organization is thought to operate out of the Ukraine, Latvia and other countries
Organization is rumored to have a “support staff” of over 500
10
Zeus Bot Confidential
Victims
Money Mules
Malware Exploiters
• Malware exploiters purchase malware• They utilize it to steal banking credentials• They launch attacks from compromised machines• They transfer stolen funds
• Mules receive and transfer stolen funds• They retain a percentage of the funds
• Victims include individuals, businesses and financial institutions
Malware coders program software to exploit a computer vulnerability and sells on the black market
11
Zeus Bot Confidential
Mules Mules receive stolen funds and retain
percentage
Mules
Mules
Money Transferred to
Fraudulent Companies
Money moved offshore
Stolen Funds
Email Received by Victim or Victim Visits a Legitimate Website
Attachment contains malware or malicious script is on website
Work Station CompromisedVictim is infected with credential stealing software and banking
credentials are stolen
Hacker EngagesHacker receives banking credentials and remotes into victim’s
computer via a compromised proxy and logs into victim’s online banking service
Money laundered
Cycle Repeats
12
Into the Deep-Panelists’ Experiences
13
Fraud Awareness ChecklistCommon
Sense
Technology
Assisted
Account Structure
Minimize number of accounts
Use unique serial number ranges for specific purposes, not new accounts
Segregate accounts at greater risk
Check Supply
Use established vendor
Use unique check style for each account type
Monitor delivery of orders and inform vendor if not received
Use check stock with security features such as fluorescent fibers, watermarks, chemical resistance, bleach reactive stains, thermochromatic ink, microprinting warning band and more
Use secured storage with controlled access for check stock, check printing equipment, endorsement stamps and cancelled checks
14
Fraud Awareness ChecklistCommon
Sense
Technology
Assisted
Internal Controls
Use dual authorization for ALL monetary transactions including online ACH originations, ACH direct transmissions, Wire Transfers and RDC
Formally and regularly review internet security
Set policies regarding passwords such that 1) the same passwords are not used for different applications, 2) they are not easy to guess, e.g. pet or children's names, etc 3) they contain special characters and are not just alphanumeric and 4) they are changed often
Mask account numbers and EINs on correspondence
Conduct surprise audits
Never sign checks in advance
Review and update signature cards annually
Use only dedicated, standalone computers for online banking where email and web browsing are not allowed
Set policies to disable user IDs and passwords during leaves and to never pre-fill password at log-on
15
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Anti-Virus and Spyware
Do not open attachments to an email if the subject line or email itself looks suspicious or unexpected
Do not download from unfamiliar file sharing sites
Aggressively update your anti-virus applications regularly
Schedule anti-virus software to run daily and automatically
Install a firewall as a first line of defense against hackers with default-deny configuration
Utilize security certification verification software
Employ intrusion analytics software
Prepare, implement and practice an incident response plan.
Install perimeter spam and malicious content filtering
16
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
System-Focused Controls
Require complex passwords and PINs
Limit physical access to supporting technologies and servers
Store system and data backups in a protected, encrypted manner
Instruct token users to report lost or stolen tokens immediately and disable them immediately
Implement network and host-based firewalls, anti-virus, and intrusion detection software
Ensure servers and desktop systems are patched
Implement regular vulnerability assessments on systems and correct any identified issues
Instruct users to watch for, and report, unusual system behavior
17
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Transaction Controls
Review and reconcile accounts daily and monthly
Validate vendor legitimacy and account information by performing a call-back if invoice is suspect or there is a change of address request
Formalize procedures to securely retain then safely shred checks after remote deposit
When possible convert paper payments to electronic
Implement policies requiring employees to always log-off not just wait for automated timeout
Do not provide your EIN unless required for a validated need
Secure your check stock or other negotiable documents and manage under dual control
Secure your workplace-deter non-employees from accessing files including trash bins
Maintain ACH and wire limits as low as possible
18
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Staffing
Limit authorizations to appropriate employees
Segregate duties between staff that issues payments and those that reconcile
Rotate banking duties to prevent collusion
Review system access privileges for all employees regularly
Proactively provide education on phishing and other cybercrime
Screen and log temporary help and vendors that come on site
Promptly deactivate employee access cards for temporary or laid-off staff
Promptly collect security tokens and deny computer access for temporary or laid-off staff
19
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Banking Services-Paper Transactions
Validate the legitimacy of checks presented by using Positive Pay
Designate accounts for use in electronic transactions only and block checks from debiting
If inbound check volume warrants, use a Lockbox for segregation of duties
Banking Services-ACH Transactions
Stop all ACH originators from debiting your accounts by using Debit Blocks
Ensure only authorized originators can access accounts for predetermined amounts by using Debit Filters
Validate the legitimacy of ACH debits presented by using ACH Positive Pay
20
Key Message
If you don’t do anything else…. Never leave check stock unsecured
Never share passwords and user names
Never leave payment and reconcilement is the hands of the same individual(s)
Educate employees to be suspicious of emails from banks or government agencies requesting information
Consider standalone PCs for online banking
Rehearse your preparedness plan if you are compromised
Use Positive Pay and ACH Debit Blocks
Always initiate ACH and wire transfers under dual control
Install antivirus and security software on all PCs
21
TermsPhishing Swindling people out of log-in
information by representing themselves to be a representative of a legitimate organization
Widespread targeting countless people usually through spam
Whaling Attempt to hijack the personal computers
of top-ranking business executives
Targeting a specific individual and formulating messages to appeal specifically to them
Victims are carefully chosen and tricked into opening an attachment containing embedded code allowing a hacker to take over their computer, browse their files, etc
Personal information is often used from LinkedIn and other sites for use a “hook”
Man-in-the Middle “Eavesdrops” on communication
between two systems and then hijacks the connection. Once the connection is hijacked, unauthorized activity begins and the authorized user is blocked or delayed.
Also known as bucket-brigade attack or Janus attack
Man-in-the Browser Similar to Man-in-the-Middle attack, but in
this case data is manipulated before it is sent to company and presented to user. For example, screen displays the correct account number, but the transmissions use a different account number.
22
Terms
Reverse Phishing Fraudsters send emails to corporations
providing fraudulent banking information redirecting ACH payment to an account they control
ACH Kiting Similar to check kiting, ACH kiting
involves multiple accounts used for fraudulent purposes
ACH debits are originated from one account and drawn on the other with the available balance taken out before settlement
Insider ACH Origination Fraud Insiders at a bank or merchant alter an
ACH file to skim funds from a company
ACH Counterfeiting ACH debits are generated from the
electronic conversion of a counterfeit check
23
Thank You and Be Safe!
The recommendations in this document are suggestions and each company’s situation is unique. Consult appropriate advisors in implementing your fraud protection program.