EFT SWIFT Breaches Highlight Growing Fraud

Transcription

1 EFT SWIFT Breaches Highlight Growing Fraud HOW ARE THE BAD GUYS STEALING MONEY OUT FROM UNDER OUR NOSES? PRESENTED BY: TOTAL TRAINING SOLUTIONS AND JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Master s of Information Assurance, Dakota State University Mission: save the world! Phone: jon@protectmybank.com SBS Institute sbsinstitute@protectmybank.com

2 Dakota State Nationally Recognized National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years National Center of Excellence in Information Assurance 3 Our Experience PROCESS: Information Security Program design and roll out IT Risk Management Vendor Management Technology Selection Business Continuity/ Disaster Recovery Incident Response Information Security Consulting IT Audit ISP Audit Controls Audit Wire Transfer Audit ACH Audit Internet Banking Audit TECHNOLOGY: Penetration Testing Vulnerability Assessment System Configuration Assessment Acceptable Use Scanning PEOPLE: Social Engineering Awareness Programs ISO Training CATO Training 4 2

3 EFT banking s new normal electronic transfer of money from one account to another, either within a single financial institution or across multiple institutions, through computer based systems and without the direct intervention of institution staff Includes: ACH (automated payment, such as a direct deposit) Wire Transfer (Western Union of Federal Reserve) Digital Currency (BitCoin, virtual currency) EFTPOS Point of Sale transactions (debit/credit card) Mobile Payments (SMS banking; ApplePay) SWIFT (international messaging for payment orders) 5 Same Day ACH Most ACH payments are settled the next business day (some minor float) NACHA rule change enables same day ACH processing Includes a same day fee so that RDFI s can recover cost to implement 2 new Clearing windows 10:30AM ET (settlement at 1:00PM ET) 2:45PM ET (settlement at 5:00PM ET) Roll out in 3 phases beginning September

4 Digital Banking Trends More or less access to money digitally? $96,000 of sales are made on Amazon every minute $612,000 is spent online by consumers every minute in real time/ More or less in person member interaction? Greater or fewer brick and mortar locations? More or less employees? More or less investment into technology? 7 Banking Method Trends 4

5 Changes in the Paradigm Banking is quickly changing from a place you go to something you do everyday, stated Brett King, author of bestselling Bank 2.0 and Bank 3.0, as well as founder of mobile banking start up Movenbank 9 Today s Cyber Crime 10 5

6 Vendors, CATO, and Ransomware Financial Institution networks are pretty secure When is the last time you heard a community bank get HACKED? How are bad guys getting our information and money, then? Through our Vendors (Target) Breaches of our members (Commercial Account Takeover) Other random attacks (phishing s, ransomware) 11 Crime as a Service (CAAS) Growing Threat Built using Botnets Provide services such as: Conduct DDOS Conduct Phishing Anti Antivirus Services Keylogging and central reporting Call Centers 12 6

7 Define Your Perimeter Network Perimeter Security Third Parties Internet Financial Bank Institution Physical Customers Members 13 Capability Maturity Model 14 7

8 Corporate Account Takeover CATO is the #1 threat to financial institutions responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts. around 85% of cyber attacks are now targeting small businesses. White House Cybersecurity Coordinator 15 CATO Attack Vectors P2P or A2A transactions Cash Management Online Banking Bill Pay Online Banking ACH Batch File ACH or Wire Fraud Wire Phone Request Wire Request Wire Fax Request 16 8

9 How does CATO work? 17 Getting the Money banking fraud/cyber banking fraud graphic 18 9

10 Newest forms of CATO Business Compromise Internal BEC vs. Member BEC Payroll takeover Extortion 19 Notable Incidents May 2013 J.T. Alexander & Son Inc. $800,000 in ACH transactions ranging from 5 10K to 60 mules, company has 15 employees with average 30K payroll. April 2013 Chelan County Public Hospital $1M in ACH transactions from payroll account using 96 mules Identified by Brian Krebs December 2012 Efficient Services Escrow Group $1.5M in wires (December.4M and January 1.1M). Forced company to close. December 2012 Ascent Builders Inc. $900,000 in wires and ACH covered up by DDOS Identified by Brian Krebs February 2014 The Scoular Co. Omaha, NE $17.2M to China using BEC Fraud (aka CEO fraud or man in the ) August 2014 Ubiquiti Networks San Jose, CA $46.7M to Hong Kong and other overseas accounts FBI: $1.2B Lost to Business Scams (BEC) in last two years

11 Selling on the Dark Web 21 Online Card Sale 22 11

12 Exploits Sell Good and Bad a windows 0 day could be yours/ 23 How to mitigate CATO risk? KNOW YOUR RISK Know your members Who s the riskiest member? Layered Security Programs Offer commercially reasonable security Encourage dual authentication, out of band, separate workstations EDUCATION! Employee Member Insurance Better Contracts PLAN TO FAIL WELL 24 12

13 FFIEC Layered Security Programs Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out Of Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation based blocking tools Polices and procedures for addressing potentially infected member devices Enhanced control over account maintenance Enhanced member education (also NCUA Letter 11 CU 09) 25 SWIFT & Bank of Bangladesh Bank of Bangladesh unknowingly breached for months Bad guys learned how SWIFT works through studying network traffic at BoB (malware) Planned an elaborate heist to steal $951M Only able to get away with $81M Transferred into accounts that had been opened in 2015 (and had money in them) LONG CON A printer error discovered the attack A misspelling caused a $20M wire to fail processing 26 13

14 27 How do CUs prevent EFT Fraud? NCUA FFIEC Joint Statement on Interbank Messaging and Wholesale Payments ent 2016 june ffiec cybersecurity.aspx 5 Major Takeaways: Know Your Risk Monitor Your Networks Patch Management Test Security Regularly Plan to Fail Well 28 14

15 Know Your Risk It all starts with your RISK ASSESSMENT. Your Risk Assessment should help you to make decisions! Those decisions should be documented in your Information Security Program. You then test your decisions People, Process, and Technology A good risk assessment take a lot of work. Explore tools that create standards to make your life easier and help you measure risk. 29 Types of Risk Targets: Organizational Risk Asset specific Risk Outcomes: Inherent Risk How risky is an asset BEFORE we apply mitigating controls? Residual Risk What is the remaining risk AFTER we ve implemented security controls? 30 15

16 IT Risk Assessment Components ASSET (PP) THREAT INHERENT RISK INHERENT RISK MITIGATING CONTROLS 31 Monitor Your Network 2 BIG Questions: 1. If someone was in your network, would you know it? 2. If someone was sending information out the backdoor of your network, would you be able to tell? Can you weed through the network noise (logs) and identify suspicious activity? What does your baseline network activity look like? How do you identify and monitor anomalies? 32 16

17 Patch Management Inventory all assets divide into software/firmware categories Insert yourself into the appropriate software/firmware update notifications usually lists. Create a patching schedule based on the lists activity MS is easy (second Tuesday of every month). Create an appropriate testing regimen based on the size and complexity of your environment try to ensure the windows from patch release to patching on production is as small a possible Automate the deployment of patches on each vendor system as much as possible software (patching vendors) firmware (NAS repository). Identify outliers of systems not getting patches or updates Remediating outliers so they can get patches reinstall, troubleshooting, etc Test Security Regularly Plan Assess your risk No, REALLY assess it Do Build your ISP Implement controls Check Test your people Test your process Test your technology Act Apply lessons learned Continuously improve! 34 17

18 Plan to Fail Well Make sure your Incident Response Procedures cover more than just member data breach Other new, internet related threats: Malware, Ransomware, DDoS, vendor breach Who will you have to notify in the event of an incident? Have you considered Digital Forensics? 35 Comprehensive Incident Response Don t just address: CU Incidents Third Party Incidents Member Incidents From the perspective of the CU. Build or ensure each layer has their own procedures: Member s IRP Third Party s IRP Commercial Accounts Third Party IT 36 18

19 CSBS Shift Your Thinking Conference of State Banking Supervisors: The persistent threat of internet attacks is a societal issue facing all industries, especially the financial services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber attacks now requires a shift in thinking on the part of bank CEOs that management of a bank s cybersecurity risk is not simply an IT issue, but a CEO and Board of Directors issue

20 39 That s all she wrote Any questions, comments, or concerns? Automate your IT Risk Assessment TRAC! Also, for a much deeper dive on Cybersecurity specifically for financial institutions, check out our eleven (11) Cybersecurity Certification Programs! CB Security Manager (CBSM) CB Security Technical Professional (CBSTP) CB Security Executive (CBSE) CB Vendor Manager (CBVM) CB Ethical Hacker (CBEH) CB Incident Responder CCBIH) More Ask about our Learning Paths! Contact info: Jon Waldman Partner, Senior IS Consultant jon.waldman@protectmybank.com

21 Thank You for Attending! TTS CUWebinars.com Don t forget about our listing of OnDemand programs at CUWebinars.com! Upcoming CUWebinars August 5 th - ALERT! New Customer Due Diligence Rules: Part Two Consumers August 10 th - Best-Ever Compliance Checklist for Consumer Loans August 18 th - Critical Issues on Closing Accounts August 23 rd - Flood Insurance Review and Update August 25 th - 8 Keys to Teller Excellence August 25 th - Compliance Perspectives: A Monthly Update September 7 th - Commercial Loan Checklists 41 21