Fraud: Everything Old Is New Again Tough Times Bring out Tried & True Tricks from Fraudsters

Fraud: Everything Old is New Again Tough Times Bring out Tried & True Tricks from Fraudsters

I once heard a line on – of all places – sports talk radio, and it’s stuck with me through the years, especially during the past one. “Tough times don’t build character, they reveal it.”

Well, there’s no question the past year has brought tough times to all Tom Field of us, and as for some of the fraudulent characters they’ve revealed? Editorial Director Whew!

It seems like every tried-and-true fraud scheme is back these days with a vengeance, as criminals renew their efforts to deprive us of our financial and informational assets. The only difference: In- stead of focusing on only one fraud channel, criminals today tend to be attempting multiple entry points simultaneously.

Everything old is new again, and it’s coming at you all at once!

I trust you’ll enjoy the articles, interviews and opinion pieces we’ve collected here, and I welcome hearing from you after you’ve soaked in some of this information. What are the fraud schemes you’re seeing most this year? How are you educating your customers to avoid them? Where have you had success thwarting the fraudsters?

The tough times will get better. Fraud, alas, won’t go away. We just have to make sure that we – like the criminals – get smarter, organized and educated. It’s going to be a long fight, but we can win it.

Best,

Tom Field Editorial Director, Information Security Media Group [email protected] Volume 1, Issue 5 In this issue... June 2009

Articles Interviews with streaming audio player embedded 2 10 Faces of Fraud directly into the page.

10 2009 Identity Fraud Report James Van Dyke of Javelin Strategy & Research discusses the results.

What does next year hold for fraud against 22 Phishing: How to financial institutions? Here are 10 of the new Help Protect Your and old ways criminals will be looking to Customers commit fraud in 2009. Dave Jevans, chair of the Anti-Phishing Working Group, discusses the state of 18 The Insider Threat: 16 Tips phishing against banking institutions. to Protect Critical Data

Blogs

9 At the Heart of the Data Breach(es)

The Field Report with Tom Field Is 2009 the Year of the Insider Threat? 32 Top Internet Scams 28 Top Trends in ACH Fraud for You and Your What you need to know about payroll Customers to Avoid fraud, ACH kiting and solutions to fight these threats. The Agency Insider with Linda McGlasson

1 What does next year hold for fraud against financial institutions? Here are 10 of the new and old ways criminals will be looking to commit fraud in 2009.

1. ATM Network Fraud According to Paul Kocher, president and chief scientist of Cryptography Research Institute, the number one area that institutions will see fraud growing over the next year is in ATM networks. “When the criminal gets access to mag- netic stripe data and associated PIN values, they are then able to create cards, and basically then it’s a license to print money,” Kocher explains. Another problem for institutions is that their ability to perform risk management is signifi- cantly less on an ATM network than online transactions. “This is because the ATM delivers the goods to the consumer immediately, which is exactly what the fraudsters ChoicePoint and others to build their attacks.” One infor- want -- the cash, rather than a large ticket item they have mation security researcher told Rothman that organiza- to then fence or resell,” he concludes. tions like the Russian Business Network, RBN, have built demographic databases “that rival some of the biggest and Kocher predicts that until U.S. financial institutions and most significant demographic databases in the financial credit card companies roll out either a contact or contact- services industry that are used here in the States legally.” less-based smart card infrastructure, there won’t be a great reduction in the amount of fraud being perpetrated against The criminal groups like RBN are compiling huge amounts U.S. consumers. “Once they decide to do this, it will cause of data in order for consumers to share account informa- a great reduction in the amount of fraud, because we’ve tion with them. This allows them to entice those custom- seen it happen in Europe,” says Kocher. ers to “give up the goods” by divulging enough informa-

2. Check Fraud The area of check fraud is also becoming continuously more sophisticated, and the underlying technological systems haven’t kept pace with the sophistication of the adversaries, says CRI’s Kocher.

“Initially there will be more pain and losses on the part of institutions, and then more technological changes on their part to try and catch up to the criminals’ ability to perpetrate check fraud,” he observes. There won’t be a solution for paper-based check fraud, Kocher says, until we have a technological development where the check itself can be authenticated via a chip or code. There are actions that could be taken, such as printing a code on the back of the check tion so they feel comfortable with the scam. The victims that the bank can verify, like a credit card, “Eventually include small businesses, which Rothman sees as the next we’ll end up with something similar to that, but the ques- crime front. tion is how long will it continue to grow until it becomes financially painful enough for banks to implement this?” “Most small business owners are not sophisticated enough Kocher asks. or wary to emails that would offer services,” Rothman notes. Especially in the tough economic times facing all business, he sees there will be a marked increase of fraud 3. ‘Laser-Guided’ Precision Strikes targeting the small businesses. “We’re always going to see The organization and sophistication of criminals is in- criminals targeting consumers. The small businesses that creasing, and so is the sophistication of their attacks. Mike are already being pushed to the wall in these hard eco- Rothman, senior vice president of security strategy at eIQ- nomic times won’t realize they’ve fallen prey to a slick networks, sees a “laser-guided” approach to targeting pre- targeted attack until it’s too late, and there is a lot of fer- cision attacks on institutions’ customers as the next step tile ground out there that could be attacked.” One example that these criminals will take. “They will use data already Rothman says could be the offer of online applications for collected from previous attacks on companies, including small business loans, or credit lines. In many cases, these

continued on page 6...

continued on page 6... attacks could be launched under a generic social engineer- as part of their online banking services to their custom- ing attack. Proactively, financial institutions can continue ers. The customer can go online to see what checks have to train employees and offer information to customers cleared, Eisen notes. “So what is on those checks? The making them aware of these types of attacks. victim’s bank account number, signature, address, phone,” says Eisen. It’s a treasure for most criminals. They can either take the copy and make paper counterfeit checks 4. Phishing Attacks To Continue to distribute, or take that information and create PayPal In 2008, the financial services industry has seen anin- accounts or other online payment accounts that will leave crease in the numbers of phishing attacks that are ex- the victim on the hook for any purchases. pected to continue through 2009, including sophisticated spear phishing and Rock Phish attacks. The Anti-Phishing Eisen says check image fraud is hitting the top financial Working Group reports that the financial services sector institutions around the world to the “tune of millions of remains the most targeted sector being attacked, with an dollars per month. The amount they’re being hit with average of more than 90 percent of attacks being directed is significant,” he says. Banks are on the hook for these at financial services. losses, especially with the proliferation of Trojans, key- loggers and other malware, that find their way onto cus- According to Terry Gudaitis, PhD, Cyber Intelligence Di- tomers’ computers, banks can’t hide behind the statement rector at Cyveillance, a cyber intelligence firm specializ- that the customer didn’t protect their account information. ing in phishing takedown and monitoring services, she and As more institutions begin losing money to check image others see as a growing threat area for phishing attacks is fraud, they’ll need to look to find ways to mask the check “Smishing” or SMS phishing. “Phishers are now sending images online, especially with the increased phishing that their phishing messages over cell phones via text messag- is occurring, Eisen warns. es. This will cause confusion among online banking users, especially those using mobile banking services,” she says. “The typical banking customer will think, ‘My bank won’t 6. Zero Day Attacks email me, but they’re sending me a text message asking Another area that financial institutions will need to keep me to click on this link or call a number to verify,’” Gu- an eagle eye on is the shift in the way financial fraud is daitis says. While the SMS attack vector is different, the happening. CRI’s Kocher sees the attacks will change object of the phisher is the same. This type of attack will from criminals trying one thing and increasing their at- pose credibility issues and will impact banks with mobile tacks against a particular vulnerability or fraud strategy, banking services, especially as the more reliant customers to where it becomes similar to hackers attacking computer will become more trusting of their mobile phone.” vulnerabilities, where the smartest adversaries will iden- tify a problem, but try to keep what they learn really secret and then attack the target in a very sudden and catastroph- 5. Check Image Fraud ic way. Traditionally, after a successful phishing attack, the criminal would extract the needed information and go onto the He sees criminals going for these “zero day type exploits,” online account and remove the victim’s bank funds. This rather than gradually building up over a period of time. has changed for some of the more sophisticated criminals Reasons for this type attack are easy to figure out, “If an in the last year, says Ori Eisen, founder and CIO of 41st attack gradually comes out, a patch will invariably be de- Parameter. “Instead of looting the victim’s account, they veloped and deployed to stop it.” don’t set up fake bill pay or take money directly from the account. Instead they go to the check image page, where With attacks gradually increasing, so does the increase of they take a copy of the victim’s check. the response to stop them. However, Kocher points out that this response approach works well to a point. “Once Many financial institutions are now offering check images the criminals realize that the fast and furious type of attack

Copyright © Information Security Media Group, Corp. 6 Security Strategies strategy will work and doesn’t give the financial institu- time that you can do something about, or have a week’s tion time to respond, it may end up that we will end up debate about how to solve it before anything too serious with a more toxic attack that we’ve never seen before,” has happened.” he predicts. The types of attacks could range from a single attack against a bank’s network, or on its ATM network. 7. Low ‘N Slow Attacks Before when there was a breach of an ATM switch, the Imagine having the best firewalls, intrusion detection sys- stolen data was used gradually over a period of time, tems and an unbeatable monitoring system installed, says rather than rapidly in a coordinated fashion, he says. “At eIQnetwork’s Rothman. But your computer systems are some point it will become more profitable for the crimi- still compromised. What happened? Rothman says it may nals to use the data immediately so that the risk manage- have been a “low and slow attack” that happens not over ment programs won’t have time to respond.” Should that a period of a few minutes or hours, but over a period of become the preferred strategy of attack, it won’t become days, weeks, or even months. more profitable for the criminal because they will have to deploy the stolen information to large numbers of drug Financial institutions have bolstered their defenses against addicts on the street, he says. This group is the majority the quick “smash and grab” attacks, similar to robbers of the people who commit ATM fraud. But the bad news running into a jewelry store stealing jewels out of cases. for financial institutions: “If it happens once or twice to “Now the criminals will compromise a machine and sit your competitor, then you better take it seriously. These back and wait, maybe a day, week or even a month before sorts of attacks that come out of the blue are much scarier going back to it and see what else they can compromise than those that you see coming, building gradually over through it,” Rothman says. What is their end goal? “To

7 compromise the entire network and perpetrate fraud over should expect an uptick in amateur fraud. These ‘crimes a long period of time,” he says. of opportunity’ will occur among customers and employees as more people are financially stressed as a result of In a time dimension, these criminals realize that it is far the economic downturn,” Wills notes. less likely for them to get caught if they’re doing it over a long period of time. “Obviously, most companies evaluate data coming over their networks in a two to three day pe- 9. Phones Will Be Ringing riod, not over a period of weeks or months. So there is no All institutions need to keep a close ear and eye on their correlation if they wait,” Rothman explains. The institution phone channel, says Wills. “As online banking security won’t “connect the dots” that they’ve got a criminal with improves through better authentication and back-end spyware on a computer, sitting picking up passwords and anomaly detection, fraudsters are following the path of user names and then three weeks later those user names least resistance and turning to the phone (call centers and and passwords are used to get into the database server. “If interactive voice response technology), where authentica- the company is only evaluating data over a two or three tion procedures tend to be less stringent,” he notes. Wills day period, those guys are flying WAY under the radar,” stresses that all customer access channels need industrial he notes. Rothman recommends that institutions look for strength security, not just some of them. anomalies and begin to evaluate and search the cause out. “Unless you’re gathering data to look for these types of actions, say over a 21- or 30-day period or even extending 10. Insider Threat it out to 60 or 90 days, you’d never make the connection This is one of the most important issues that financial in- in order to raise the red flag within the organization,” he stitutions are going to face in the coming year, says Jody says. Westby, Adjunct Distinguished Fellow at Carnegie Mel- lon University’s CyLab and CEO of Global Cyber Risk, In the financial services industry there are no currently a Washington, DC-based cyber intelligence firm. “In this known examples of “low and slow” attacks, Rothman economy, people are going to be more tempted to steal says. But the most famous “low and slow” this year was inside data, to sell it or use it for their own purposes. The the Hannaford Brothers grocery chain breach, where the insider threat will be more prevalent than in the past [be- attackers waited and pulled down information about cus- cause] there will be more desperate players out there,” tomers over a three month period of time. Westby notes. Proper monitoring of all employees, vendors and contractors with a separation of duties plan will help stop this from happening, but as was seen in such 8. Drive-By Attacks Deliver cases as the Countrywide insider case, a determined in- Institutions need to educate and warn customers and em- sider is one of the hardest types to stop. ISMG ployees to beware the online look-alikes and infected websites, says Tom Wills, Javelin Strategy Research’s senior analyst for security & fraud. “Drive-by attacks that surrep- Read this article online at http://www.bankinfosecurity. titiously deliver keylogging Trojans to customers’ comput- com/articles.php?art_id=1098 ers are becoming identity thieves’ weapon of choice.” Ma- chines are infected when users visit bogus bank sites that they’ve been directed to via phishing emails or, increas- ingly, legitimate sites that have been hacked, he notes.

Javelin’s Wills also predicts there will be an increase in the number of “amateur” hackers and criminals, looking to purloin cash or personal information from institutions’ customers, mainly due to the bad economy. “Institutions

The Field Report with Tom Field

in the safe because my other card was ed to Heartland or a payment-pro- At the Heart of the still fairly new, although they were cessor-to-be-named-later. It doesn’t Data Breach(es) two different numbers. The debit even matter so much how the fraud card number that was used never left occurred and what the card-issuing OK, so how many payment processor the safe, so I’m pretty darn sure that bank did/did not do as a result of it. data breaches are we talking about - it was compromised electronically one or two? That’s been the big ques- and most likely with Heartland. To me, this just cuts to the heart of tion we’ve been trying to sort out. these data breaches. They aren’t And I’m not sure anyone knows de- “The gal at the bank wasn’t sure if about encryption and hackers and finitively. If they do, they’re not tell- Heartland was involved or not. I just intrusion detection systems. They’re ing. wish I’d been notified to watch for about trust, as banking always is, and this earlier. The bank teller alluded they’re about customers - people - But I do know this: For anyone who that there have been several other having that trust violated. wants to know exactly what the bank customers that have had Heartland Payment Systems (HPY) strange charges, but I think “All that matters is that a bank it’s just beginning to show data breach - or any such incident customer lost $500 to fraud, - really means, here’s what I’ll tell up. I’ve been researching this them. This is an excerpt from a note whole breach thing on the doesn’t understand why, and I received a couple of weeks back net and wonder why the me- wonders what her bank is going from a bank customer: dia hasn’t really got involved to do about it.” with this. I’ve been doing my “I am just a customer with XXX own notifying today via email bank here in the Midwest. And I just telling friends and family members There have been some great ques- discovered today that $500 was taken to check their debit/credit accounts tions raised in the wake of the Heart- out of my account yesterday. Some- for fraud. land breach. What exactly happened? one charged $250 twice at a Macy’s How did it happen? How many banks, East in New York and attempted an- “I’m not sure if I can be much help credit unions and customers were af- other $200 and it was refused. This to you, but since my bank isn’t on the fected? What can we do to prevent is what the bank teller told me. They list and I’ve definitely had some fraud such breaches from occurring in the have cancelled my and my husband’s done with my account, I thought I’d future? debit cards and are working to get the let you know. $500 back. But to me the ultimate question is: “Thanks for at least letting me vent.” What are we going to do to regain “We are just plain, hardworking Mid- our customers’ trust? I’d be curious westerners and are shocked and be- Well, thanks for taking the time to to hear your answers. TF wildered how this happened. We’ve vent and to give us all a little bit of never been to New York, and we nev- perspective. Read this blog online at er left the county yesterday! I had also Y’see, it doesn’t matter whether the http://blogs.bankinfosecurity.com/ been issued a new debit card about a posts.php?postID=150 month or so ago and had just stuck it fraud referenced above was connect-

2009 IdentiTy Fraud Report James Van Dyke of Javelin Strategy Research explains the results. Click Play to listen.

The number of identity fraud victims has in- of Javelin Strategy and Research. Jim, thanks so creased 22 percent in the U.S., costing 9.9 mil- much for joining me today. lion victims a total of $48 billion in 2008. JIM VAN DYKE: Thanks. I’m glad to be here. This is the news from the fifth annual Identity Fraud Survey Report from Javelin Strategy & FIELD: Jim, you’ve got your report out in its Research. In an exclusive interview, James Van fifth consecutive year. Dyke, Javelin founder and president, discusses: VAN DYKE: Yes. • Highlights - and surprises - from the study; • What it all means to banking institutions; FIELD: It’s probably the most comprehensive • Trends for institutions and their consumers to survey produced on the topic. What are the big watch for in 2009. headlines this year? And I guess my follow up to that is, what kind of surprises did you find? TOM FIELD: Hi. This is Tom Field, editorial director with Information Security Media Group. VAN DYKE: Yeah. This is the most comprehen- I’m talking today about the 2009 Identity Fraud sive and rigorous study on the subject of identity Survey Report that has been released by Javelin fraud, by the way, we believe, in looking at finan- Strategy and Research. Here to talk about that re- cial services and payments research of all kinds, port is James Van Dyke, president and founder that this is absolutely the most misunderstood

11 We don’t call it that, but this is a broad category that in- James Van Dyke cludes everything from one- President time fraudulent transactions, for example, a credit card ac- Javelin Strategy Research count, to complete account James Van Dyke has held key management takeovers and new account assignments in strategic planning, market establishment. And in these research, product management, and cases, where victims are distribution channel development with spending 30 hours having to organizations ranging from start-ups to resolve their affairs, of course, Fortune 100. they tell everybody they know, they have a lot of bad feel- ings, they’ve invested specific topic that exists, on how people manage their financial af- time, and they’ll never forget fairs, whether that’s institutions or consumers. We had a about it. As a result of the impact, it’s so dramatic that number of interesting findings this year. First of all, for 15% of all victims leave their current credit card provider, the first year since we’ve been doing this work, which, 17% leave their current bank or credit union, and 40% of we picked up on the Federal Trade Commission’s original people who are victimized through a debit card get a new study in 2003, and expanded that methodology. For the relationship. first year since we picked upon that study, way back in 2004, identity fraud has reversed course and gone up. So, FIELD: Wow. Okay. Flip side. What’s the good news I think the industry, overall, was surprised at the whop- from this year’s report? ping nature, the whopping size of identity fraud, back in the early part of the new millennium, but we beat it back VAN DYKE: Well, the good news from this year’s report, strongly, and what we have seen, though, is that in a tough is banks are doing more than ever. They’re beating back economy, criminals have gotten more desperate, so it’ re- fraudsters. If it had not been for great industry efforts that versed course, and for the first time, it’s going back up. we see, in spades in this report, and we’re talking about it a lot in the popular media as part of this release is that we FIELD: Wow. So, Jim, if you sort of look at it as the clas- see clear evidence of banks doing a better job than years sic good news/bad news scenario, what’s the bad news in before. Translated, that means, with more fraud cases in this year’s report? this tough economy - and we think the two are correlated - that if banks weren’t doing the good job that they are VAN DYKE: Well, the bad news is that the consumers are doing, and security vendors that market solutions to banks spending more time resolving their affairs, which results and issuers and other institutions, and merchants, then we in banks losing relationships and having to deal with ill would have seen much, much higher losses. So, for exam- will on the part of consumers. And this is probably go- ple, consumer out-of-pocket costs, this year, went down to ing to drive spending back up. For example, some of the just under $500. implications of this are that the average fraud victim consumer spends 30 hours resolving a case of identity fraud. That’s the amount of actual dollars that the consumer had And by the way, we define identity fraud as any time there their load lightened by once they became a fraud victim. is a transaction committed in another person’s name, that And you have $500, and some people say, with zero li- is, using another person’s identity without their authoriza- ability laws and most banks reimbursing consumers who tion. So, it was written into law by congress and the FTC, have, say, a DDA fraud experience, since most fraud is is this identity theft definition. from a DDA or a credit card account, why are people pay-

Copyright © Information Security Media Group, Corp. 12 Security Strategies ing anything? It just doesn’t seem believable. be more comfortable with technology, just from what we see in other research data, as well. But, we know that number is absolutely reliable, because in the extreme cases, people are victimized by friends, so So, we need to get people comfortable with the advantages called, family members, other people that they may not of using new technology. And, it’s even interesting to see want to press charges against. There are crimes that go on how this shows up with online shopping. Men use online for a long period, in which people just finally say, “I give shopping, and women use more in person purchases more. up. I can’t unravel this. You’re asking me too many ques- What does that have to do with it? Well, through elec- tions.” So, that average consumer cost is going down. The tronic methods, you actually have more control. If you’re average fraud amount, that is, the amount that the crimi- a properly educated and equipped customer, you use the nal at least initially got away with, is going down. And, right tools, and you know what you’re doing. So, we think amidst the disturbing trends, we see that there are fewer there’s a real behavioral disparity. Criminals have taken cases where the criminal was able just to have their way, advantage of it, and we need to reverse it. if you will, with changing all kinds of individual fields within an account. In the case of .... And of course, they’re FIELD: That’s interesting. Now, in the course of this con- committing fraud, like PINs, addresses, and other personal versation, you’ve mentioned banking institutions a couple information like that, that criminals like to do. of different times. What do you find to be sort of the big news for financial institutions, and what do they need to FIELD: Now, Jim, one of the things that struck me in the be watching most closely now? results was the headline that women are more likely to be victims of identity fraud. Why is that? VAN DYKE: Well, they need to be watching for multi- channel crimes. It’s easy just to obsess about the electronic VAN DYKE: Yeah. Along with finding that fraud is on crimes, for example. Very well-intended CISO’s can think the increase, this was probably the other most surprising about identity fraud and just say, “Oh, that means I need finding. We just didn’t see this one coming. Going along with this trend, we dug deeper into the data and our cross- tabs and all those things that research companies do, and what we saw was that women, their fraud cases linger for a longer period of time. They’re not using electronic monitoring methods, like e- mail alerts, and even, in some cases, mobile alerts. They’re not using it, they’re not taking advantage of technologies that actually can make people safer, to the degree that men are. And, we just don’t think that they’re probably being educated and aware, and potentially, as self-reliant as they could be, as men, who might

13 to step up against cyber-attacks and the latest form of phishing and vishing [ph] and everything else.” The impersonation crimes, where they didn’t have a form of social engineering and all that. Well, there’s an awful lot of low-tech crimes, as well. And, low-tech crimes tend to have higher dollar impact than high-tech crimes, particularly because the per- petrator is someone closer to you.

So, our point is, be agnostic. Be aware of all the channels that criminals use, because they do use all the channels, and they don’t have this bias towards technology. They use them all. There are more attacks electronically, but there are more successes and higher dollar damage for the traditional crimes. Look at them both, and real- They can be just as effective in great technologies. And ize that the cross-channel crimes we have been reporting why buy an expensive technology that tries to mimic the on for several years, is on the rise. That is, you steal data mind of the accountholder, when you’ve got an accoun- through one channel and you use it in another. Maybe the tholder that is dying to get involved in their own security. theft channel was the traditional one, and the transaction Our point is, use the best of great backend security tech- was electronic. nologies, and there are some great ones out there, with the best of consumer willingness, because one out of two That’s often the case. But sometimes it’s the reverse, steal fraud cases are first detected by your customer, and if you the data online, and then write a paper check. Who knows? don’t let them get involved, they’ll go somewhere else. And also, and we go into this a lot in our banking safety scorecards, we look at comparing the features that banks FIELD: Jim, did this survey uncover any new data on the have, and there’s a lot of very specific mandates in there insider threat, or is that something you didn’t deal with for banks, that can improve their safety. Working with the here? willing customer is very important, and I’ll touch on just a couple of areas. VAN DYKE: We did deal with it. Insider threats, they’re among the toughest to study. And yes, we did go into One, there is this fallacy that says, completely unsupport- this area, but one of the challenges of the area of insider ed by data, even though I hear people, quite frequently, fraud is that if information was exposed by, say, a bank, or they’ll say things like the following, “Consumers don’t maybe even a merchant employee or somebody else, that want to be involved in their own security. They just can’t it’s probably a little less likely to have more information take the time. They can’t be effective at it, even if they are known about it. So, yes, we do ask about it, and there are willing to get involved, they just can’t do anything right, cases where victims know about it. It shows up on our they can’t follow instructions.” Research data just doesn’t data. It shows the percentage of cases of crime attributed support any of that. In fact, it speaks just the opposite. to that. Having said that, though, this is one in which it’s People will leave your institution for another one if they a little more insidious. When perpetrators are found out, are not allowed to be involved in their own safety. probably doing a complete post mortem with that person

more regulation, as part of his campaigning efforts. Will that extend to this? I’m not going to be a proponent of a lot “In a tough economy, criminals have of big changes in this, because we see a lot of good work gotten more desperate, so its’ reversed going on. course, and for the first time, [fraud] FIELD: Jim, one last question for you. If I could ask you is going back up.” - James Van Dyke, Javelin for a bottom line, what are the key risks that financial institutions and consumers need to be watching out for in 2009? is part of the terms of agreeing on jail time, and that sort of thing, is particularly vital, and the industry needs to work VAN DYKE: Multi-channel fraud and ignoring the cus- together, then, to compare data from those interrogations. tomer are the biggest risks that are out there. So, multi- channel fraud, criminals will often use multiple channels, FIELD: Yeah, that makes sense. Now, the other constitu- and so you need to have an approach of trying to make sure ency that strikes me is the government. You’ve got a cap- you’re not blind to a criminal that stole the data through tive audience, it would seem, in Washington right now, one channel and used it through another. But, that you are with the new administration. It’s going to be very much integrating all departments that are fighting fraud, as well paying attention to these issues. So, I guess the question as trying to mitigate it on the backend, through technolo- is, what is the news to the government regarding potential gies that the consumer will never see and shouldn’t see. legislation and regulation about these issues? So, good technologies, like fraud filters, neuron nets, and behind-the-scenes authentication and device fingerprint- VAN DYKE: Yeah, that’s another great question because ing, and all those other areas. Great stuff. Also, keep work- the financial services industry is doing a good job, even ing with your customer. They will go somewhere else if though crime is rising, they’re holding down the amounts, you don’t let them. Just as important, they can make a they’re holding down the consumer costs, even though difference in the battle. And so, if you’ve got this highly you have a much more motivated criminal element, be- motivated, free resource, that is one of your current cus- cause we are dealing with tough economic times. And so, tomers, why turn them away, like so many providers do. banks are taking some good steps. And, yet, we saw in our We see banks are doing a good job with this today, and we data years ago, early alarm bells, if you will, to financial just encourage more of that. institutions, for things that later on became regulation, so people need to pour into the results of the study, and say, FIELD: Jim, as always, thanks so much for your time and “What actions do I need to take?” This study, the score- your insight today. cards, and others, all help people do that. And there are backend technologies and the customer-involved technol- VAN DYKE: Thanks, Tom, we really appreciate it. ogies that can be applied. There’s just dozens and dozens of them. FIELD: We’ve been talking with Jim Van Dyke, president and founder of Javelin Strategy and Research. For Infor- But none example of how we predicted what later became mation Security Media Group, I’m Tom Field. Thank you a regulation that we are now all dealing with was address very much. ISMG changes, the red flags ruling. We saw several years ago, before it was even talked about, that criminals were using address changes as part of their perpetration of fraud. And, Read the transcript online at http://www.bankinfosecurity. we also saw from another study that they weren’t notify- com/articles.php?art_id=1225 ing consumers at the original address when an address had been changed. So, will we see more regulatory action? Well, I think we have a pro-regulation environment right now, in general. Obama has already said we can expect

15 Doulbe Page Flash Ad

Embezzlement has become the nation’s favorite financial crime -- and losses attributed to embezzlement are greater than those from all other financial crimes combined. Understanding the crime of embezzlement is critical to every investigator.

* Where embezzlers look for opportunities; * Identifying embezzlement offenders; * The differences between men & women embezzlers.

July 1, 2009 (1:00 PM EST); August 13, 2009 (3:30 PM EST)

or Learn More

Presented by Dana Turner, security practitioner with Security Education Systems Conducting any kind of an investigation can be risky. Conducting an investigation that involves people’s character, finances and relationships within a family or an employee’s workplace is even riskier because it likely changes the lives, careers and relationships among all of the participants.

* Components of a financial crime investigation; * How to plan a financial crime investigative strategy; * When to justify further investigation.

June 25, 2009 (3:30 PM EST); July 13, 2009 (10:00 AM EST)

or Learn More

www.ISMCorp.com The Insider Threat: 16 Tips to Protect Critical Data

Is 2009 the Year of the These illustrate the need to have monitoring and controls in place, along with an education program to help employ- Insider Threat? ees learn about the insider threat as part of an information security awareness program. Linda McGlasson, Managing Editor

Last August’s arrest of a Countrywide employee in Cali- Heightened Risk fornia illustrates the potential impact of a single insider The increased number of employers handing out pink with access to sensitive information. The FBI charged the slips doesn’t help quell the threat, with a record number former employee with taking 2 million names and person- of people on the unemployment lines and others at work al information from the mortgage bank and selling them worried about their own positions. “We’re going to see for a profit. some insider events where insiders are tempted enough by money to enable these compromises to take place from Another example: Last month’s indictment in federal court outsiders, allowing access to payment data and account of an ex-consultant at Fannie Mae for allegedly placing a information,” says Mike Urban, senior director of Fraud logic timebomb on the mortgage giant’s computer systems Solutions at Fair Isaac. last October. If not discovered, this trap would have wiped out all the company’s 4,000 computer servers. Urban, with more than 14 years of electronic fund transfer and fraud resolution experience in the industry, says all

Copyright © Information Security Media Group, Corp. 18 Security Strategies institutions should review their strength against an insider 2. Clearly document and consistently enforce policies threat. “When should institutions be concerned about in- and controls. CERT sees that clear documentation and sider threat?” he asks. “During times before, during and communication of technical and organizational poli- after a merger takes place, or during uncertain times such cies and controls “could have mitigated some of the as the times we’re in now.” insider incidents, theft, modification and IT sabotage” it has in its case library. The areas once thought separate -- financial fraud and information security -- are converging, he notes. “People are 3. Institute periodic security awareness training for all laid off, you’ve got fewer people doing work -- a lot of employees. Developing a culture of security aware- things that would be normally picked up, or watched or ness is only the first step. CERT says employees “also noticed will not be because the person that used to do that need to be aware that individuals, either inside or out- isn’t there anymore,” Urban says. Even employees who side, may try to co-opt them into activities counter to are still at the institution and think they may be laid off the organization’s mission.” begin thinking what they could take to protect their own financial future wellbeing,” he says. 4. Monitor and respond to suspicious or disruptive be- havior, beginning with the hiring process. This should Senior management needs to consider the risks when sys- begin even before an employee is hired, CERT says. tem mergers take place. “There’s a lot of chances for in- Things to look out for include repeated policy viola- formation to be in places it shouldn’t be,” Urban says, so a tions “that may indicate or escalate into more serious high level of awareness needs to be encouraged. criminal activity.”

5. Anticipate and manage negative workplace issues. Tips for Fighting the Threat Institutions should carefully review their processes, Organizations also should take a close look at the “Insid- beginning with pre-employment, employment and ter- er Threat Study” by Carnegie Mellon’s CERT Program. mination. Of special note, CERT notes, “”Contentious Randy Trzeciak of Carnegie Mellon’s CERT insider threat employee terminations must be handled with utmost research program was recently interviewed by Informa- care, as most insider IT sabotage attacks occur follow- tion Security Media Group on 100 insider cases that the ing termination.” study compiled since 2001 and some highlights from its findings. 6. Track and secure the physical environment. Most institutions are already on top of this issue, though CERT’s The study shows the “big picture” analysis of insider IT reminder about access attempts is clear. “Access at- sabotage and has seven general observations about the tempts should be logged and regularly audited to iden- cases. Another excellent source for institutions to follow tify violations or attempted violations of the physical that Trzeciak recommends is the CERT “Common Sense space and equipment access policies.” Guide to the Prevention and Detection of the Insider Threat.” 7. Implement strict password and account management policies and practices. This is important, CERT says, Here are 16 practices that CERT says will help provide an and “password and account management policies and institution with defensive measures that could help pre- practices should apply to employees, contractors and vent or detect insider incidents: business partners.”

1. Consider threats from insiders and business partners 8. Enforce separation of duties and least privilege. By in your enterprise-wide risk assessments. This is espe- giving employees only the resources they need to do cially difficult for institutions, as the scope of the “in- their jobs, “the possibility that one individual could sider” stretches out to service providers and vendors. commit fraud or sabotage without cooperation of another individual within the organization is limited.”

19 9. Consider insider threats in the software development employee’s online actions around the time the em- life cycle. While this one won’t apply to many of the ployee is terminated. institutions that operate systems but don’t develop them, consideration should be made to look into the 13. Use layered defense against remote attacks. CERT’s software development from vendors and core service recommendation is based on the premise that should providers. employees know they are being monitored, a disgrun- tled insider will try to use remote access to gain ac- 10. Use extra caution with system administrators and tech- cess. Especially important is disabling remote access nical or privileged users. Many institutions already and retrieval of company equipment from terminated follow CERT’s recommendations on this by separa- employees.

14. Deactivate computer access following termination. This should happen quickly, including all physical lo- cations, networks, systems, applications and data.

15. Implement secure backup and recovery processes. CERT admits that no institution can completely elimi- nate the risk of insider attack. Preparation and imple- mentation of a secure backup and recovery process is critical.

16. Develop an insider incident response plan. CERT says this could prove challenging, “because the same people assigned to a response team may be among the most likely to think about using their technical skills against the organization.” CERT recommends that only those responsible for carrying out the plan need to understand and be trained on its execution. ISMG tion of duties or employing the two-man rule for critical system administrator functions. CERT’s insight on

this, “Technically adept individuals are more likely Read this article online at http://www.bankinfosecu- to resort to technical means to exact revenge for per- rity.com/articles.php?art_id=1257 ceived wrongs.”

11. Implement system change controls. In CERT’s study of 100 insider incidents, there are a wide variety that relied on unauthorized modifications to the organization’s system -- a strong argument for change controls as a mitigation strategy.

12. Log, monitor and audit employee online actions. CERT’s study shows new findings in this area that can help institutions to refine data leakage prevention strategies. One example CERT gives is to monitor an

Phishing How to Help Protect Your Customers

Amidst the volatility and confusion in the marketplace, the threat of fraud is heightened - which means... beware of phishing.

In this exclusive interview, Dave Jevans, chair of the Anti-Phish- ing Working Group, discusses:

• The state of phishing against banking institutions; • The most effective ways for banking institutions to fight back; • Top trends for 2009.

David Jevans is the chief executive officer of IronKey, based in Los Altos, California. David is also the chairman and founder of the Anti-Phishing Working Group , the leading non-profit organization dedicated to eradicating identity theft and fraud on the Internet. The APWG has over 1,500 member companies and agencies worldwide. Membership is limited to banks and other financial institutions, ISPs, law enforcement agencies and security technology vendors. David has over 10 years of business experience in the Internet security industry, has founded two high-tech startups, and has been through IPO, mergers and acquisitions.

TOM FIELD: Hi, this is Tom Field, editorial director with In- Phishing formation Security Media Group. The topic today is phishing, How to Help Protect Your Customers

23 something the scammers are using to try to trick people David Jevans when they are a little confused CEO or concerned. Iron Key FIELD: Now are there any new wrinkles on old tricks David is also the chairman and founder that you are starting to see of the Anti-Phishing Working Group , the emerge? leading non-profit organization dedicated to eradicating identity theft and fraud on the JEVANS: Well, we are seeing Internet. a little bit more sophistication around some of the holiday scams. We’ve been seeing email scams coming up pre- and we are talking with David Jevans, chairman of the tending to be from FedEx and Anti-Phishing Working Group. Hey, David, it’s good to UPS where you’ve got an order confirmation for some- catch up with you again. thing you didn’t actually order online, and those either take you to phishing sites or to sites that try to install mali- DAVID JEVANS: Great to talk with you, Tom. cious software on your computer. So there has definitely been kind of some new revolution in that side of it. FIELD: From what I hear, things are awfully busy in your business, so I’m curious, given this state of the economy, The other thing is there has been increasing spear phishing what is the state of phishing against banking institutions going on where the bad guys get your name and maybe these days? part of your account number and your email address and then send you very targeted emails directly to you, and JEVANS: Well, Tom, what we are seeing is when times people tend to fall for those when it has their full name and get tough the cyber criminal community actually gets some information about them. quite a bit more active, and we are seeing that really across the board in phishing attacks, also new types of malware Another wrinkle that we have been seeing is the use of that gets onto your computer and starts stealing your pass- social networks to spread phishing and also to spread mes- words and doing all kinds of nefarious activity. sages that get people to click on them and then install malicious software on their computer. So definitely seeing an uptick in phishing attacks and malware and also increasing sophistication and lots of attempt- So imagine for example, if somebody takes over your ing to use some of the situations with the banks right now Myspace account, and then they send emails out to all of as a ruse to trick people into giving out their passwords. your friends coming from you, so your friends naturally click on it and that email installs some software onto their FIELD: Well that’s interesting certainly because when I computer that steals their passwords, and then they can see IndyMac or Wachovia news about that all of the sud- start sending out the email from those people, so you can den my spam filter fills up with bogus notes from these get very, very violent attacks that spread through social institutions, and I’ve got to assume that is what lots of networks very, very quickly and that can install malicious people are seeing. software on hundreds of computers very quickly.

JEVANS: That’s right. We are seeing it against banks, FIELD: That’s funny that you mention that because that we are seeing it against customers of insurance compa- almost happened to me last week when I got just such a nies that have been in the news recently. So it is definitely

Copyright © Information Security Media Group, Corp. 24 Security Strategies note from, believe it or not, a security executive on Face- times you’ll get one or two phone calls in saying ‘hey, I book, and it was exactly as you described. got what looks like a phishing email.’ Make it easy for people to submit that stuff via email to you so that if there JEVANS: Yeah. There have been targeted ones, and some is a fraud or a spoof at your bank.com address people can of them are more just widespread trying to get malicious send it in. So don’t ignore those early warning signs where software on as many computers as possible, and some of you might get one or two people complaining. What you them are more targeted where they are going after security need to do is try to get a copy of the phishing email if pos- executives that perhaps sell into financial institutions, and sible and find out what is the ruse, what is the server that so they actually are trying to get malware inside a finan- they are hosting it on. cial institution through some of the social networking or spear phishing attacks. “You can get very, very violent attacks that FIELD: Boy, scary stuff. What do you find to be some of the most effective spread through social networks very, very ways for banking institutions to help their quickly and that can install malicious software customers to fight back? on hundreds of computers very quickly.” – Dave Jevans, APWG JEVANS: Well, customer education is definitely one thing. And trying to do that a little bit in advance and giving people resources on your Another thing that you can do is watch your email for what website when they log-in, having information on the log we call backscatter. This is when phishers send emails to in page that is always there about ‘click here to learn about bad email addresses that they bought off a spam list. They security’ or warning there are fake emails. And it is best will typically put your bank’s email address as the bounce- to do that in advance because if you wait until you have back location, so if you are monitoring your email servers a big phishing attack, it is really to late, and then you are and the bounce-backs that say for example, no such ad- actually making the problem worse by sending an email to dress, you can start to see when the phishers are testing your customers trying to educate them. a phishing kit. That is typically what is happening, these low volume reports, a little bit of backscatter on your mail So, we definitely advocate educating them early and edu- server, and that is usually somebody doing a test. cating them on the web page when they log in. We also, of course, are seeing a lot more deployment of stronger au- And if they are doing a test, they are trying to find vulner- thentication technologies by financial institutions. Some abilities in your site, and they are trying to find--basically of them - for their higher net-worth customers or for their set up the system, set up the phishing kits and find the re- wholesale customers - are deploying authentication devic- sponse rate. That is when you need to get worried, and that es, which can make phishing not impossible, but can make is when you need to get serious because that can indicate it very, very difficult for the bad guys. that there potentially is a major attack coming.

FIELD: Now Dave, I hear banking institutions saying all In our experience, once the phishing kit has been created the right things about phishing right now, so I get the sense for your financial institution, it often gets combined with that they are making an effort to educate, but for those that other phishing kits, so one phishing site might host the maybe don’t see this as an immediate concern, what are phishing site for five different banks, and typically once some of the warning signs that your institutions’ custom- that starts it rarely goes away. They continue until you ers are being phished? close whatever loophole it is where they are somehow able to monetize that, so definitely pay attention early on. JEVANS: Well there are a couple of things that you can do as a financial institution. If you get phone calls in, some- FIELD: You spoke a few minutes ago about the impor-

25 tance of educating consumers. What have you found to be some of the most effective ways to educate them?

JEVANS: Well, unfortunately educating the consumer is going to be a never ending task, and you will never educate more than about half of them. But effective ways are definitely, as we mentioned earlier, putting information Photo TBD on the log-in page of your website, putting information once they’ve logged in, occasionally alerting them to that. Sometimes putting pictures of phishing emails and letting them know that they are fake emails and we don’t ask you for information.

So visually showing what these sites look like and also be- vishing numbers. So sometimes you might call one of ing very, very clear and specific and simple. For example, these, and if the phone company has taken the number we will never ask for your Social Security number is one down, there is a really great FTC educational and warn- very simple message, and just make sure that you never ing. break that rule and that you don’t sometimes have a mar- keting thing that asks for it. By the way, one other thing that we have also done at the Anti-Phishing Working Group is we have put together a So it’s keeping the message simple and making it easy landing page that educates consumers about phishing, and to access on the Internet; these tend to be the best way to we encourage ISP’s to point to it when they take down a educate customers. phishing site, so that if consumers visit those sites they get a very consistent educational message. FIELD: Earlier in the year Dave we heard an awful lot about vishing, the voice phishing attempts. I am curi- So back to the emerging threats of 2009, we think contin- ous one, whether that has remained a prevalent trend and ued vishing, definitely much more targeted attacks, so we then two, as you are looking ahead, what are you seeing do know that there are tens of millions of people’s data emerging as the top phishing trends that people ought to floating around from different database breaches. That in- be aware of? formation can be used to create extremely targeted phishing attacks. JEVANS: Well we have definitely been seeing an increase in vishing, or voice phishing. Vishing can be very effec- We also will continue to see an increase in very technical- tive because you are sending an email out with no links in ly sophisticated attacks against financial institutions and it at all to bad websites, which means they typically will other companies directly. These will be attempts to install get through a spam filter and those will have a phone num- malware inside of the companies, attempts to steal access ber saying there is an issue with your account, so please credentials to get into company networks. One thing we call this phone number. Then the people of course call the are particularly worried about that recently cropped up are phone number and it is a site hosted on the Internet, and phishers sending email to technical contact of a domain they are entering in their account numbers and PIN num- registrar. So for example, if mybank.com is the website, bers and things like that. the webmaster who controls that would be webmaster@ mybank.com, they will send emails pretending to be from That has risen to about 1% of phishing, and it continues to the domain registrar saying your domain name is about to rise. The Federal Trade Commission has done a great job expire and you need to update it or update your contact creating an educational warning message that the phone information. companies can place when they take down one of these

That will get sent directly to the technical contact and if are probably difficult for us to imagine at this point be- that person were to fall for it and login using their name cause they are working through some fairly sophisticat- and password, then the bad guys could basically take over ed scenarios and there are clearly some of these attacks an entire bank’s website and email traffic and redirect it where people have planned it for many, many months and to their own sites. So that is something we are quite con- are patient about trying to get a big score. cerned about, and we have already seen some of that in the last couple of weeks against some of the major registrars. FIELD: Well, Dave, let’s keep in touch and in 2009 please So it’s definitely something to be concerned about and to keep us apprised of the threats and we will do our best to be very wary of on the bank IT side of things. spread the work to the banking institutions.

FIELD: So there continues to be more scary stuff that we JEVANS: Thanks Tom, great talking with you today. need to be worried about. FIELD: We’ve been talking with Dave Jevans, chairman JEVANS: Yeah, and they continue to get more profes- of the Anti-Phishing Working Group. For Information sional. That’s what is really going on. They are taking Security Media Group, I’m Tom Field. Thank you very more time to think through the scam, and they are thinking much. ISMG through how to use third parties, non-obvious systems like social networks, professional social networking systems, stolen databases, and so on. Read the transcript online at http://www.bankinfosecurity. com/articles.php?art_id=1128 So the threats and the attacks are going to be things that

1/2 Page Ad

27 Top Trends in ACH Fraud

What You Need to Know About Payroll Fraud, ACH Kiting and Solutions to Fight These Threats

Linda McGlasson, Managing Editor the Financial Institution Group at Crowe-Horwath. Crimi- nals are finding it more enticing “to follow the money,” Payroll fraud, kiting – these are among the latest threats to Thomas says. Automated Clearing House (ACH) payments, which are gaining extra attention from fraudsters. This article reviews the latest ACH fraud trends, and what institutions should be doing to protect themselves. There will be 25 billion ACH transactions occurring annu- ally by 2010, estimates NACHA, the electronics payment How ACH Fraud Happens association. Many of these transactions will be check con- Before ACH did check conversion, there was very little versions at merchants, including Wal-Mart, Target and fraud, because most transactions were driven by relation- large supermarket chains. ship, notes Nancy Atkinson, wholesale banking senior analyst at the Aite Group. “So when a corporation had to get With these numbers growing every year, ACH fraud is also an individual’s permission to credit, much less debit their growing, says Michael Thomas, executive-in-charge of account, the banks knew the corporation, and they knew

Copyright © Information Security Media Group, Corp. 28 Security Strategies they could depend on the corporation to stand behind its and 28th of the month. The institution would bring over transactions if a debit or credit came into question by a the tape, and the bank would run it on its machine and consumer.” check that the nature and amount of the check was proper. The bank would call back and verify the amounts with the On the business side, the companies using ACH set up ac- company before it released the payroll. Everything was counts that would either only accept ACH credits or issue a chain-of-command, procedures, and the parties knew them. As ACH has expanded past the payroll, social secu- it was going to happen on a specific date for a specific rity payment or repetitive bill-pay solution, moving into amount. mainstream transactions that can be used for almost any kind of payment and check replacement truncation, fraud “The fraud we’re seeing today is because financial insti- risk has grown. “This includes at point of sale or on the tutions are doing all of this over the Internet,” Thomas web or over the phone,” Atkinson says. “You’ve lost the notes. “Typically, the bank does not have controls over controls that used to exist, and those direct relationships these processes. It assumes that because you were able to that used to exist. Banks used to have controls on how big access the account, you, (the business) know your pass- a transaction a business can make and how much cover- word and account information.” age it has to have over the two-day period it takes for that transaction to settle.” What he is now seeing are conmen or criminals who can’t break into a bank through its firewalls, so “They’re actual- One way ACH fraud can occur: Companies can get hooked ly going to manufacturing companies, businesses, and so- into a legitimate bank ACH network and then send out cial engineering their way to someone’s laptop,” Thomas fictitious changes, like telling checking accounts they’ve says. “They’re coming in through a firewall, with a stolen agreed to pay a small amount to a charity. “By the time the account and password and are pretending to be that cus- customers get a copy of these transactions and they protest tomer.” the withdrawal, by that point the bank is stuck with all the returns, because the sham operator of the fraud has with- The hacker/conman comes in through the ACH account drawn all the money and left,” Thomas says. and cleans it out. “So instead of paying out the payroll, the payroll goes to the conman.” The good news is that type of ACH fraud had been the most common type of fraud over the years, but NACHA and a Thomas’ advice to institutions on handling payroll ACH number of financial institutions have been doing a much fraud: “Go ahead, go back to the old way. Even though better upfront job in determining who they will let become it is coming through the Internet, pick up the phone to an ACH customer. So this specific type of fraud, while verify, and this way you’re covered. Or by fax, ‘We see still occurring, has slowed down a lot, Thomas notes. you’re processing the payroll, just wanted to verify the amount,’” he says. Other fraud threats, alas, have grown. ACH Risk #2: Kiting ACH Risk #1: Payroll Fraud ACH kiting is similar to check kiting and is an unusual The new type of ACH fraud that Thomas and other fraud kind of fraud. “But when it happens, it can happen big,” experts are seeing is a combination of ACH fraud and what says Thomas. He lays out the scenario: A bogus charity he calls “social engineering and computer hacking.” This sends out charges for $100,000. The bills are sitting in is the threat with which Thomas sees a lot of his customers companies’ inboxes, and the bogus charity now has what getting hit. appears to be $100,000 worth of credit in their account at the bank. Then they take that money and they’re gone. Traditionally in the ACH process, a bank would set up a Then the companies who see their accounts debited for business to do its payroll through ACH, say, on the 13th that amount come back and question it, and the bank finds

29 out the scam has happened, and they’re left with lots of as six months. “The better institutions understand that this angry commercial account holders and $100,000 in fraud is a credit product, and do their due diligence up front losses. through their loan officer,” he observes. The less sophisticated institutions see this as a deposit product and are In ACH kiting, it happens that the first day the scam char- more likely to get hit with fraud. ity sends out $100,000, then the second day it sends out $150,000 and the third day it sends out $200,000 and so on, so when the first day and second day charges begin to be Who’s at Risk? returned it appears the scam charity has a net position of a Larger institutions are getting hit with ACH fraud because big credit. The bank doesn’t realize its exposure, because they have more complex Internet ACH transaction mecha- the credits keep coming in at a faster rate than the returns nisms in place and have done away with the “call-backs” do. So what happens then as scam charity keeps building and manual controls. They also have much higher vol- up its balance to a point that it gets really, really high. “In umes, Thomas notes. the first scam the fake charity may only get $100,000, in this scenario it could get millions, because it can keep run- The ACH fraud Thomas sees is hitting regional and super ning the fraud. So when it does cut and run, the institution regional banks. Many of them are restoring those manual is faced with a tremendous hit,” Thomas notes. controls (call-backs). Rather than putting an automatic call-back on every ACH transaction over a certain amount, His advice is, again, focus on the procedures here, and Thomas suggests that the bank look at whether the ACH monitor debit returns and over a period of time. transaction is scheduled. Most of them are, such as payroll payouts, most outgoing debits go on schedules and most More sophisticated institutions will set up exposure limits are for similar amounts and won’t vary widely. for new customers, and set them on single-day exposures, and then over a period of days. “For example, the bank sets a limit of exposure for a single day at $100,000, and More Security, Monitoring Needed not more than $150,000 of a period of four days,” he ex- Aite’s Atkinson sees the need for further tightening in se- plains. This way it is limiting its exposure to ACH kit- curity for online banking, including strong multi-factor ing, and monitoring the new customer until the institution authentication. “Banks need to demand that core service builds up history with it. providers offer it as well,” she says. ACH providers have built improvements into their systems, including ways As to the question of how long to monitor, Thomas says for positive payer and payee capabilities, including check most people do a standard three months, some go as high processing for corporations, “So that if a check gets con- verted to an ACH transaction, the corporation has not lost the opportunity for positive pay and payee. If something doesn’t match when the bank is processing, the bank stops it and brings it back to the corporation,” Atkinson notes this has been a real improvement.

The reality of it is, unless an institution has miniscule amounts of ACH transactions, it needs to have some form of automated monitoring of the transaction in order to evaluate what is originating out of the institution, says Erik Stein, Fiserv’s Solutions Architecture Fraud & Compliance Solutions vice president. “Institutions need to know who is originating transactions and manage their due diligence, to know they’re looking at those originators

In doing due diligence, institutions will have a set of crite- Information Security & Risk ria of the characteristics of who they’ll do business with. “If you don’t know the business model of your origina- Management Training tor, they could be out factoring for other businesses that wouldn’t have been able to sign up as an originator with Business and technology leaders - they are your bank. They’re now going through you, without your both crucial to a banking institution’s risk knowing about it,” Stein notes. management and information security practices. We understand this, and we strive Stein sees the ACH world will continue to become in- to ensure students from both the business creasingly risky. “There are new SEC codes coming out and technology sides of an institution are on international ACH transactions, that IAT (International equally satisfied by our webinars. We em- ACH Transactions) is coming out with,” he says. It creates ploy subject matter experts who speak from a whole other set of risk profiles than what institutions have historically seen. experience, and offer hands-on, actionable advice focusing on the issues that matter Another area for financial institutions to improve their most to you. fraud detection and monitoring is the centralization of fraud prevention across all payment systems. “This will Our training covers a broad range of in- make for less fraud, no matter what the payment mecha- formation security and risk management nism is,” Atkinson notes. topics focused specifically on financial institutions. Topics include regulatory com- Say someone wants to perpetuate fraud, she explains. pliance, business continuity/disaster re- They may start out in checks, then, when that hole is filled, covery, application security and access they move to ACH. If an institution has filters and ways to detect and monitor behaviors that may be suspicious, and management - both from the business and share that information across ACH, wire transfers, checks technology perspectives. and credit cards, as well as ATM activity, then they’re getting a much better overall fraud picture and will know which individuals to pinpoint and worry about. “Banks have said that having this type of information across all activities will greatly improve their ability to fight fraud and improve regulatory compliance,” says Atkinson. ISMG

Read this article online at http://www.bankinfosecurity. com/articles.php?art_id=1469

31 Top Internet Scams for You & Your Customers to Avoid The Agency Insider with Linda McGlasson

Top Internet Scams for You and Your Customers to Avoid

Among the layoffs, companies down- in 2008 involved spam, bad checks, information in order to investigate sizing, slashing budgets and falling roommates and the names of FBI of- an impending financial transaction. stock prices, there is one area of the ficials. The report describes the ba- This transaction typically involves economy that appears to be flourish- sic characteristics of the scams and a transfer of funds from a source in ing - crime via the Internet. shows how they often overlap with a foreign country, often Nigeria, to a other types of crimes. bank account belonging to the e-mail The Internet Crime Compliant Cen- recipient. ter (IC3) says that reports of Inter- Spam was listed as one of the more net-based crime jumped 33 percent significant scams the IC3 saw last The report notes that those unknow- in 2008, according to the group that year. Spam is described as fraudu- ing recipients of these emails are led monitors web-based fraud. lent, unsolicited emails used to com- to believe that, by cooperating with mit identity theft. The FBI says while this investigation and providing the The IC3 says in its annual report the idea of using spam to steal iden- necessary information, they may that it received more than 275,000 tity information is nothing new, these help the FBI determine the legiti- complaints last year, up from about emails are distinguished by looking macy of the transaction and facilitate 207,000 in 2007. like they’ve been sent by the FBI. its processing. They are duped into believing they may profit greatly as The total reported dollar loss from Employees and regular consumers a result of their cooperation, or they such scams was $265 million, or can fall for these emails that ask for are threatened with prosecution by about $25 million more than the personal information, such as one’s the FBI and even told they would be- year before. About one in three com- bank account number. The emails come the subject of a terrorist inves- plaints were for non-payment or non- falsely claim the FBI needs such tigation if they don’t cooperate. The delivery. The other most common complaints were for auction fraud or credit and debit card fraud.

The IC3, for those who may not be familiar with the group, is a partner- ship of the FBI and a nonprofit group that tracks white collar crime. The group forwarded more than 70,000 of the complaints to various law enforcement agencies for further investigation, and the report lists some of those who got their just desserts from being arrested.

Top Internet scams reported to IC3

Copyright © Information Security Media Group, Corp. 32 Security Strategies sure sign that these emails are not kind of email: Contact your friend or a roommate gets a bad check over legitimate is the gross spelling and relative by another way to confirm the amount originally agreed upon, grammatical errors, a characteristic the request for help. deposits it into their bank account, of many Nigerian 419 advance fee and then the fraudster asks them to frauds. Another area of note: overpayment wire the excess amount to someone scams. Fraudsters negotiate formal or involved in their move to the new lo- The IC3 says it has recently changed informal contracts requiring payment cation, (sometimes it is a bogus fur- its data collection system to iso- to victims. Almost invariably, the niture supplier or moving company.) late complaints about these kinds victim receives payments in excess The real status of the checks sent by of emails, but says it isn’t able to of the amount owed. Fraudsters then fraudsters usually doesn’t surface un- quantify the total. The group says instruct them to deposit the money til after the excessive funds have been it is seeing a substantial number of and to wire the excess amount back wired and cashed, and the roommate complainants that indicate the popu- to them or some third party, usually seeker is stuck with the losses. larity of this method among identity supplying a credible story explaining thieves. the excess amount. These scams are just some of the ones reported to IC3 in 2008. Why it is important for financial institutions “Why it is important for financial institutions to know about them is because these to know about them is because these scams are scams are being perpetrated against being perpetrated against your employees and your employees and customers. The customers. The scams you don’t tell them about scams you don’t tell them about today will visit them tomorrow. To today will visit them tomorrow.” keep on top of the latest scams hitting consumers, you’ll want to check the IC3, FBI and FTC websites for Another scam commonly reported If the fraudsters are successful, the updates and encourage your custom- combines computer intrusion tech- victims follow their instructions, ers to report them to the IC3. LM niques with social engineering. This only to find out later that the payment scam exhibits a more personal appeal instrument (usually a bank check or in an attempt to defraud people. It money order) the fraudster used was Read this blog online at begins with the hacker/scammer get- fake. Stuck with the bad check or http://blogs.bankinfosecurity.com/ ting unauthorized access to an email money order, the person is also held posts.php?postID=169 user’s account. liable by their banks for losses gener- ated by the fake check. After the email account is taken over, the scammer then uses it to send Several varieties of the overpayment emails to the real email owner’s con- scam exist. Such scams include the tact list. The scammer says they are secret shopper and pet schemes that the email account owner and tells the appeared in the 2007 IC3 report. In person they are stranded in a foreign 2008, the most common form re- country and have been robbed and ported was the “roommate” scam. need money wired to them to get a Someone advertises for a roommate, hotel room or a plane ticket. Same as the fraudster contacts them and says in the FBI emails, these emails are they’ll pay with a check or money filled with spelling and grammatical order. Then the same predictable ac- errors. Word to anyone receiving this tions occur: The person who wanted

33 More Resources

Webinars

Embezzlement (Part 1): When Everyone Lies, Cheats & Steals http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=133

Embezzlement (Part 2): Conducting Financial Crime Investigations http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=134

Money Laundering Update: The Latest Threats to Your Institution http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=116

White Papers

Addressing Online Fraud & Beyond http://www.bankinfosecurity.com/whitepapers.php?wp_id=180

Authentication and Fraud Detection Buyer’s Guide http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=198

Interviews

The Evolving Face of Fraud: Steve Neville, Entrust http://www.bankinfosecurity.com/podcasts.php?podcastID=194

Fraud and Data Breach Trends: Kevin Prince, Perimeter eSecurity http://www.bankinfosecurity.com/webinarsDetails.php?webinarID=198

Agency Alert FinCEN: Guidance to Financial Institutions on Filing Suspicious Activity Reports regarding Loan Modification/Foreclosure Rescue Scams http://www.bankinfosecurity.com/regulations.php?reg_id=1397

About Information Security Media Group

Prior to early this decade, online banking was truly in its infancy. With the advent of more and more technology becoming interwoven with what we would consider “everyday banking,” a growing list of regulations, guidance and federal mandates have been issued by the regulatory agencies which govern the banking industry. We created BankInfoSecurity.com and CUInfoSecurity.com to offer insight and guidance on how to deal with these relatively new requirements.

BankInfoSecurity.com and CUInfoSecurity.com are your one-stop portals for the latest news, insights and education on the top information security issues facing U.S. financial institutions and credit unions today. Through articles, webinars, podcasts, customized training and sponsored content, our team is committed to providing up-to-date information on the security regulations, threats, solutions, training and career trends that most impact banks, credit unions and other related enterprises.

GovInfoSecurity.com was formed to bring all that is risk management together for local, state and federal agencies so they can meet regulatory requirements armed with the intelligence and industry best practices they need. It’s an online resource dedicated to information security, audit, risk management and compliance topics. GovInfoSecurity.com is the only such media outlet to look at information security through the eyes of the federal government.

Contact

4 Independence Way ISMGCorp.com Princeton, NJ 08540 BankInfoSecurity.com CUInfoSecurity.com Phone: (800) 944-0401 GovInfoSecurity.com Email: [email protected] [email protected]