7Th Annual Risk Americas Convention - 2018

Home , Cheque fraud, Internet fraud, Mismarking, Money mule

7th Annual Risk Americas Convention - 2018

Fraud, Cybercrime and Reputation Risk – What Organizations Can Do About It

Dalit Stern, CPA, CFE Senior Director Enterprise Fraud Risk Management, TIAA

New York - May 17, 2018

Agenda

 The intertwined landscape of fraud and cyber  A vibrant marketplace changes the face of fraud  Sophistication of social engineering techniques  Customers  Corporations  The impact of cyber risk on fraud and reputation risks what to do about it  Q&A

2 Disclaimer

The views expressed in this presentation and in today’s discussion are the views of the speaker and do not necessarily reflect the views or policies of TIAA. Examples, charts and metrics are purely for illustrational purposes, and may have been modified or simplified in order to clarify a point. Neither the speaker, nor TIAA, accept responsibility for any consequence of the use of any part of the framework presented herein.

3 The Intertwined Landscape of Fraud and Cyber

Assessing the risk of fraud in financial institutions: • Financial institutions continue to be subject to fraud: • In person • Remote fraud (online, interactive voice response (IVR) , paper ) • Consistent trends of money out and account maintenance fraud enabled by cyber incidents • Cyberattacks are becoming a more prominent fraud threat - designed to target: • Customer assets • Financial institution assets • Certain subsectors are more prone to cyber fraud but most see increased activity (e.g., banking, brokerage, retirement 4 insurance, investments)

The Intertwined Landscape of Fraud and Cyber (cont.) Assess the sources and impact of Cyber–threats I. Sources of intentional threats: • Insiders • Nation-states • Hacktivists • Cybercriminals

II. Impacts from cybersecurity breaches: • Business/operational–direct/indirect interruption from a failure of key business processes • Legal and compliance–legal action (myriad laws and regulations) • Financial • Reputation 5

The Intertwined Landscape of Fraud and Cyber (cont.)

Who are these Cybercriminals? Type: Lone hackers; petty criminals; organized, professional criminals

“Organized”: • Based in international locations • Full time • Collaborate and share code • Use significant resources 6

A Vibrant Fraud Marketplace

7 A Vibrant Fraud Marketplace– for Products and Services

Records and data for sale–on black market websites: • U.S. credit card with track data (account number, expiration date, name and more): $12 • EU, Asia credit card with track data: $28 • Social media account: $50 • Counterfeit Social Security cards: $250 to $400 • Counterfeit driver's license: $100 to $150 • New identity plus a matching utility bill: $350 • Bank credential: $1,000 + (6% of the total dollar amount in the account) • Hacking into a website: $100 to $300

8 Source: Business Insider article; IBM and the Ponemon Institute published in 2015

A Vibrant Fraud Marketplace- for Products and Services (cont.)

For sale - on black

9 Source: https://www.moneywise.co.uk/news/2018-03-21/how-much-your-data-worth-to-hackers

A Vibrant Fraud Marketplace (cont.)

Source: https://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-black-market/ Cyber Activity Changed the Face of Fraud

• Digital fraud is global • Stolen Personally Identifiable Information (PII) are widely available • Out of wallet questions are easy to obtain • Traditional attacks include new digital channels • Use of bots • Move to fast transactions will increase impact • Fraud schemes:  Identity theft  New account opening fraud  Account takeover fraud 11

Social Engineering • Armed with PII, fraudsters attempt to access financial customers’ assets in financial institutions • Corporations implement better systems at preventing and detecting cyber and fraud • Fraudsters increasingly target consumers to get around an institution’s fraud controls • People remain a weak link and can be exploited via increasingly sophisticated social engineering techniques

12 Social Engineering Schemes

Common schemes: • Phishing/Vishing/Smishing: • The use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials • Spear-phishing

• Who has not received phishing (e)mails?: • Winning a Lottery • Wealthy businessmen in third world countries seeking business partners • Work from home 13 • ‘Romance’ schemes

Social Engineering Schemes (cont.)

Purpose: many social engineering schemes are designed to: • Compel victims to act as money mule and facilitate fraud and money laundering • Defraud unwitting individuals to transfer funds

Victims: • Elderly individuals • Women • Financially well-off

Method: fraudster(s) develop(s) relationship over months in order to build the victim’s trust

14 Money Movement: International transfers, despite limited history of wire transfers Cyber Activity Changed the Face of Fraud (cont.) Top loss categories:

Source: FBI Internet Fraud Report 2017, by Crime Type, by Loss amount https://pdf.ic3.gov/2017_IC3Report.pdf FBI - Internet Crime Complaint Center

‘Advanced’ Social Engineering - Customer, Corporate

Advanced social engineering requires attaining the confidence of customers or internal employees such that they divulge pieces of information needed to proceed with a fraudulent transaction: • Involves person-to-person interaction • Multiple attempts or steps to create a valid transaction • Use of social-engineering and interactive voice response (IVR) attacks to gather data enabling account takeover, fraudulent transactions • A necessary step in ‘finalizing’ an ongoing scheme: • Obtaining One-Time-Pin (email or phone) • Obtaining specific information needed 17

Social Engineering of Call Centers

Call centers may be a weaker link in organizations: • Traditional call centers that rely on live agents to look for high risk / suspicious callers • Caller ID can be easily spoofed • Limited IVR monitoring • Limitations of Knowledge Based Authentication (KBA) • Delicate balance between customer experience and stringent security

“By 2020, 75% of omnichannel customer-facing organizations will sustain a targeted, cross-channel fraud attack with the contact center as the primary point of compromise.” 18 Source: GARTNER: Don't Let the Contact Center Be Your 'Achilles Heel' of Fraud Prevention, published: 02 March 2017 Social Engineering of Call Centers (cont.)

• Fraud incidents are often “multi-channel” • Interactions between a criminal and a call center may not result in a financial transaction (pre-fraud): • IVR • Agent • Nature of calls • Testing stolen data in an IVR system to identify accounts • Tricking an agent into revealing customer data • Asking an agent to change contact information • Using the IVR to change the PIN number on an account • Requesting to complete a fraudulent wire transaction 19

Source: Pindrop Labs, Call Center Fraud Report 2016 The Impact on Reputation

• Challenge: The critical nature of maintaining confidentiality and integrity of customer financial data in financial institutions • Challenge: Dependence of financial institutions on other financial service providers and on multiple third parties for their own operations (e.g., Target) • Challenge: PII are compromised outside the financial institutions (result of well-publicized breaches, customer malware) • Cyber/fraud incidents that are likely to harm reputation: • Loss of PII -- Regulatory violations • Business disruptions • Wrongful conduct/fraud • Customer experience – challenge and opportunity 20

The Impact on Reputation (cont.)

Impact analysis: • Limited cyber incidents or insignificant fraud losses are magnified as reputation is impacted • Providers and 3rd parties impact your reputation - “multiplier” effect to the exposure • Business differentiator • Loss mitigation: business, legal, insurance implications • Customer perception and the significance of client communication: • Before incident • During incident • After incident 21 • What not to say Fraud and Cyber Incidents are Often Manifestations of the Same Attack Incidents loss reporting reflect the convergence: • Increased online activity • Increased phone activity (agent and IVR) • Increased number of fraud alerts • Increased fraud incidents • Fraud losses

• Challenges include: • Consistency of taxonomy to correlate cross-channel issues as facets of same attack: • across line of business and individual reporters • business line vs. corporate functions • Subsidiaries • Manual reporting: management and governance reporting – is 22 significantly slow; when cyber-attacks occur, need to be fast

What to Do about Digital Fraud – Mitigation of Cyber and Fraud Risk R L Not “a one size fits all”: I a • Limit social engineering impacting workforce: S y K • Employee training: educate and train call center, IT employees e - r • Conduct random tests on different employee groups e • Provide ongoing customer education on new cyber/ fraud risks B d and how clients can protect themselves a s • Determine approach to authentication: e C • Login requests only/ transactions, requiring enhanced d o authentication n A t • Once-and-done approach with strong two-factor (MFA) p r • Digital verification of PII p o • Implement authentication programs across all channels: R l o • Online ,Mobile, Phone, Paper s a 23 • Move to passive authentication techniques c h

What to Do about Digital Fraud – Mitigation of Cyber and Fraud Risk (cont.) • Recognize and prioritize cybersecurity and fraud management • Not only a compliance issue, the business should recognize its broad impacts and manage these accordingly • Cybersecurity and fraud are now more often on management committee agendas. Also, are being resourced, accordingly • Address evolving threats with machine learning and data analytics • Harness multiple sources of enterprise intelligence into big data analytics Retain data science skills • Address patterns, cross-channel exposures, and recognize minor events that will escalate

• Collaboration and sharing of threat intelligence with 24 industry, third parties, law enforcement

What to Do about Digital Fraud – Mitigation of Cyber and Fraud Risk (cont.)

Align IT security and fraud management processes and/or organizations: • Many security and fraud groups rely on multiple security and fraud products • Integrated processes provide better visibility and actionable intelligence needed to quickly respond to incidents Develop combined metrics and reporting of cyber and fraud: • Counter-fraud control coverage and effectiveness Cyber • Fraud monitoring tools analytics • Phone calls • Cyber analytics 25 Monitorin Investigations g

Appendices

26 Fraud and Misconduct Risks– Definitions (Basel II) Basel II has projected seven types of operational risks that may occur at banks and financial institutions: • Internal fraud–Acts of fraud committed internally in an organization go against its interest. Losses can result from intent to defraud, tax non-compliance, misappropriation of assets, forgery, bribes, deliberate mismarking of positions and theft. • External fraud–External frauds are activities committed by third parties. Theft, cheque fraud, and breaching system security like hacking or acquiring unauthorized information are the frequently encountered practices under external fraud.

Source: Operational Risk Loss Data, Basel Committee on Banking Supervision

Basel II: Internal Fraud Risk (Levels 2 and 3)

Unauthorized Theft and Theft and Activity Fraud Fraud (cont.)

Fraud/Credit Transaction Fraud/Worthless Account take- Manipulation Deposits over

Mismarking of Misappropriation position of assets (intentional) Identity theft

Bribes/Kickbacks Tax evasion

Extortion/ Theft of Physical Malicious Property destruction of assets/Smuggling

Forgery/Check Kiting Embezzlement

Source: Operational Risk Data Collections Exercise, Insider Trading 28 Basel Committee on Banking Supervision, June 4, 2002 Basel II: External Fraud Risk (Levels 2 and 3)

Theft and System Fraud Security

Theft of Computer Physical Hacking Property

Theft of Customer Check Kiting Sensitive Data

Theft of Intellectual 29 Property Questions?

Thank You.