How Banks and Corporates Can Prevent Payments Fraud...
Transcript of How Banks and Corporates Can Prevent Payments Fraud...
© 2016 Treasury Strategies, Inc. All rights reserved.
Presented By
February 11, 2016
How Banks and Corporates Can Prevent Payments Fraud Together
Agenda
2
Panelist Introductions
Industry Overview and Survey Results
Perspectives on Payment Fraud• The Banker’s View• The Corporate View• The Technologist View
The Power of Collaboration to Prevent Payment Fraud
Open Q&A
Panelists
3
Mike VigueBottomline TechnologiesCorporate Vice President
Margaret MacLeodBBVA Compass BankExecutive Director –eBanking Manager
Shelley TravisBB&T BankSVP – Treasury Services Product and Risk Manager
Craig MondscheinTishman SpeyerSenior Treasury Director
Dave RobertsonTreasury StrategiesPartner & Director
Industry Overview
• Security spending has doubled in the last four years
• Many companies that were breached were “compliant” on their various security assessments
• There is a major shortage of security talent and it’s expected to get worse
• According to Mandiant, the average hacker dwell time* is 205 days
4
*Dwell time: the number of days a threat actor remained undetected within an environment without remediation
3.48.4
22.7 24.928.9
42.8
101.5
0
20
40
60
80
100
120
2009 2010 2011 2012 2013 2014 2015
Mill
ions
Number of Detected Incidents1
Recent History of Detected Incidents
5
Heartland Payment Systems Google
Epsilon Zappos
Target
SonyeBay
Anthem BCBSUS Office of
Personnel Mgt.
Sources:1 PwC Report – The Global State of Information Security Survey
Data breaches are increasing and there are over one million threats a day!
Rising Concern: Banks & Corporates
7
Banks are more concerned about payment fraud and cyber risk than their corporate counterparts. They are also more apt to require their employees to undergo training.
54%
23% 21%
1%
29%
37%
24%
10%
0%
10%
20%
30%
40%
50%
60%
A Top Priority Quite A Lot Moderately Very Little/Not at all
% o
f Res
pond
ents
How big of a concern is payment fraud/ cyber risk for your organization?
55%
25%
8%11%
25%
35%
23%17%
5%
15%
25%
35%
45%
55%
65%
Yes - for all employees
Yes - for employees in
key roles
No - but we are exploring
No/Not Sure
Do you require fraud/cyber risk training of employees?
Banks Corp
Preventative Measures: Banks & Corporates
8
Roughly half of corporates have instituted dual approvals on both payment requests and initiation in their payments system/bank portal.
The nature and frequency by which banks perform fraud analytics varies.
17%14%
8% 7%
31%
20%
2%
0%5%
10%15%20%25%30%35%
Inrealtimeandacrossallpayment
applications
Inrealtimeforeachindividualapplication
Inabatchmodeandacrossallpayment
applications
Inabatchmodeforeachindividualapplication
Itvariesbyapplication
I'mnotsure Other
%o
fRes
pond
ents
Banksperformfraudanalytics
55%
4% 9%12%
20%
0%
10%
20%
30%
40%
50%
60%
We have dual controls on
both
Requests but not initiation
Initiation but not requests
We don't have dual controls on
either
I'm not sure
% o
f Res
pond
ents
Doyouhavedualcontrolsonpaymentrequestsand/orpaymentinitiation?
Payment Fraud Occurrences: Corporates
9
Many corporates don’t know about threats until there is a loss.
The average time to detect fraud incidents was just over one month.
1The majority of attacks originated from an external source with the remainder split between current/former employee and unknown sources.
21% 18%
52%
10%
0%
10%
20%
30%
40%
50%
60%
Yes - within the last year
Yes – but it has been more than
a year
No I'm not sure
% o
f Res
pond
ents
Has your organization been a victim of cyber security attack?1
35%
12%
21%
32%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Yes – within the last year
Yes – but it has been more than
a year
No I'm not sure
Has your identified and thwarted prior cyber seorganization curity attacks?
Corporate Impact on Banking Relationships
10
Roughly half of corporates consider a bank’s fraud performance when selecting a bank. Most corporations believe that the liability for a fraud loss depends upon the situation.
74%
11% 8% 6%1%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Itdepends Yourbank Yourcompany I'mnotsure Splitbetweencompany&
bank
Shouldafraudulenttransactionoccur,whoshouldassumetheliabilityfortheloss?
48%
32%
20%
0%
10%
20%
30%
40%
50%
60%
Yes No I'mnotsure
%o
fRes
pond
ents
Doesabank’sfraudperformancefactorintoyourorganization’sbankrelationship
decisions?
Poll Question #1
Are you more optimistic about:
A. The US presidential election
B. Your ability to prevent fraud
11
Banker’s Perspective (BB&T)
12
Current Fraud Scenarios• Social engineering – masquerading as someone in authority (CEO/CFO/etc.)• Request for refund on invoice that was “overpaid”• Bank’s safeguards triggered but client directs payment to be released
Current Protection Environment• Hard token usage at login and payment initiation• Anti-malware requirement• Transaction scoring – outbound calls for confirmation• Continued client education
- Consistent communication regarding recommended security protocols- RMs/treasury consultants proactively advising clients
Top Forward-looking Priorities• Continuing education – find new approaches to prevent desensitization• Evaluating enhanced authentication processes• Deepen integration across systems – internal/external/frontend/backend
Bank Perspective (BBVA)
13
Current Fraud Scenarios• Social engineering – masquerading as someone in authority (CEO/CFO/etc.) or as a trading
partner• Log-in credential issues – click link and “update”
Current Protection Environment• Mandatory usage of Trusteer Rapport through the online banking platform• eBanking platform – multiple layers and multiple types of controls• “Challenge” user at every login• Continued client education
- What can happen, how BBVA can help- Internal client-facing employees advise clients on safeguards- Publishing periodic whitepapers on the subject
Top Forward-looking Priorities• Risk-based authentication software that learns users’ behaviors and transaction patterns• REAL-time tools – especially around ACH/Wire – proactive monitoring at the point of
payment initiation vs. post-processing• Launching a soft-token application
Corporate Perspective
What can Corporates do to help reduce loss due to fraud?
14
Education• Corporate treasury has to learn about
the latest threats and schemes fromtheir banking partners
• Internal mass education to allemployees globally who handle bankaccounts or sensitive information
Enhance Controls• Controls must be reviewed to insure
that proper segregation of duties exist,vendor creation is properly controlled,and payments are properly authorized
• Correct inadequate controlsimmediately, before they contribute to aloss
IT Involvement• IT department has to have up to date
firewalls and fraudulent e-mail detection• Latest VPN technology• Password reset requirements• Policies concerning mobile banking
applications and security
Partner Involvement• Educate and cooperate with vendors
and suppliers to identify fraudulentpayment requests to minimize criminalsreceiving your outgoing payments
• Educate and cooperate with customersto identify fraudulent invoices tominimize criminals receiving yourincoming payments
Poll Question #2
Compared to last year, have fraud attempts at your organization:
A. Decreased significantly
B. Decreased slightly
C. Stayed flat
D. Increased slightly
E. Increased significantly
Note: Select one response only.
15
Timothy Geithner, former Secretary of the Treasury(2/19/15)
“There are two types of companies:
Those who have been hacked, and those who don’t yet know they have been hacked”
– John ChambersCEO of Cisco
But Everyone Already Knows That
16
Database Security
Access Controls
User Monitoring and Analysis
Network/Endpoint Monitoring
Log Analyzers (SIEM)
Firewall/Intrusion Prevention
6
5
4
3
2
1
A Multi-Layered Approach is Needed
Supported by FFIEC recommendations
17
How Can You Stop Fraud in Real-Time?
Insider fraud activity goes undetected
Challenge Implication
How Do You Identify Insider Fraud?
How Can You Stay One Step Ahead of New Tactics?
How Do You Prioritize and Identify Real Threats?
Fraud is often identified after the money is gone
New tricks – social engineering, cross-channel
Information overload –too many alerts
However, Banks and Corporates Still Face Challenges
18
Keys to Success
5. Collectirrefutableforensicevidence
1. Capture & analyzenetwork traffic tocomplement otherlayers of defense
19
2. Prioritize alerts withrisk scoring
3. Leverage robustinvestigation tools suchas link analysis andvisual replay
Best Practices
4. Create a non-invasive andscalable infrastructure
Stop Fraud Before Financial Loss
If you’re not blocking fraudulent transactions
It’s like having a surveillance camera without locking the front door
20
Authorized users• Trusted with access to sensitive information
• Aware of the different roles/database structure
• Can fall victim to social engineering schemes
Protect Against External and Internal Risks
21
Teller Fraud Case Study: Global Bank
Key Concerns• Infrastructure relied heavily on costly
monitoring and storage of log files• Unable to detect employee access to
sensitive data (e.g. read only activity)• Unable to detect more elaborate
schemes – for example, skimmingsmall dollar amounts or data leakage
Results• Prevented a collusion scheme targeting
dormant accounts in excess of$400,000.
• Fraud investigation time has beenreduced by 90%- from days to hours
• Bank can add new types of alertswithout IT development, search andreplay user activities.
A large global bank had the ability to detect large-scale fraud – but the cost and time required to review log-based activity reports rendered their current infrastructure inadequate to identify more elaborate schemes. This bank leveraged real-time network monitoring of teller activity to strengthen fraud controls.
22
Key Concerns• Financial downturn would increase
risk that employees may be temptedto commit fraud.
• Looking to minimize resources andtime required for a new system
• Staying one step ahead of emergingfraud trends, such as insidercollusion.
Results• Proof of concept was live within days.• Migration to production completed
within one month following the pilot.• Return on investment was realized
within a number of months.• Analytics are being leveraged to meet
other business objectives.
User Behavior Monitoring Case Study: Finance Company “Ensuring we have robust systems …that manage and eliminate risks posed to our business is of paramount importance,” says an executive at a leading affinity card, point of sale loan, and personal finance company. The company leveraged user behavior monitoring to track employee activity and identify suspicious behavior.
23
Results• 4 terabytes of data are indexed each day• HTTP monitoring detected a malware signature
that was not yet updated into the endpoint system• The solution also monitors payment activity from
authorized users within the application• The bank is now considering using the platform
for case management
Web Payment Fraud Case Study: A Large BankThis bank leveraged Web Payment Fraud as an overlay to existing infrastructure, providing additional layer of security for their HTTP traffic.
Bank.com
E-banking Application
Customers Download Endpoint Monitoring
Web Payment Fraud
24
Bottomline’s Cyber Fraud and Risk Management Platform
In 2015, Bottomline acquired Intellinx, a cybersecurity company
The Bottomline platform is used by >200 organizations, and 10 of the top 50 banks worldwide.
Flexible architecture for many use cases:• Enterprise-wide platform• Centralized case management overlay• Single application monitoring• Pre-Integrated with Bottomline SaaS solutions
25
• What Banks Can Do More Of:– Continue to communicate with and educate corporate customers– Strengthen operating models between bank and customers when fraud occurs– Continue to expand authentication options and fraud prevention services
• What Corporates Can Do More Of:– Leverage fraud prevention services– Educate employees– Support additional authentication methods– Communicate with banks about what’s working or not
• What Technology Providers Can Do:– Maintain tight integration across security layers and payment systems– Establish anti-fraud networks across their clients
One Thought to Leave On:Banks and Corporates Should Work Together
26
A. Education
B. Policies and controls
C. Fraud detection systems and integration
Note: pick one response - your top priority
Poll Question #3
What is your top forward-looking priority to improve fraud prevention in your organization?
27
Thank you!Mike Vigue, Corporate Vice President,
Cyber Fraud and Risk Management
AddressBottomline Technologies
325 Corporate DrivePortsmouth, NH 03801
Phone & EmailDirect Line: [email protected]
www.bottomline.com