Regulator s Perspective of Best Practices in Combatting Cybercrime Executive Fraud Forum October 30, 2013

Similar documents
ASSESSMENT LAYERED SECURITY

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Best Practices Guide to Electronic Banking

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Web Cash Fraud Prevention Best Practices

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

FFIEC CONSUMER GUIDANCE

Retail/Consumer Client Internet Banking Awareness and Education Program

Texas Department of Banking United States Secret Service January 25, 2012

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Personal Cybersecurity

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

FFIEC CONSUMER GUIDANCE

NOT-FOR- PROFIT SERVICES GROUP Client Information Bulletin

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

FFIEC Guidance: Mobile Financial Services

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Panda Security 2010 Page 1

Business/Commercial Client Internet Banking Awareness and Education Program

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

ELECTRONIC BANKING & ONLINE AUTHENTICATION

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Emerging Issues: Cybersecurity. Directors College 2015

Business Online Banking & Bill Pay Guide to Getting Started

Fraud Risks Facing Credit Unions. ALLIED SOLUTIONS LLC SERVICE CENTER 210 East Main Street, Suite 200, Niles, MI Fax:

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

NETWORK THREATS DEMAN

The Double Edged Sword of Mobile Banking

2010 Online Banking Security Survey:

Regulation P & GLBA Training

Using Security to Lock in Commercial Banking Customers

Cybersecurity The Evolving Landscape

huntington Business security suite user guide

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Red Flags/Identity Theft Prevention Policy: Purpose

Prevention of Identity Theft in Student Financial Transactions AP 5800

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Guide to Getting Started. Personal Online Banking & Bill Pay

Capital Bank Express User Guide. The Tech Behind the Money

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Securing Information Systems

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Safeguarding Your Dealership from Fraud

Personal Online Banking & Bill Pay. Guide to Getting Started

Cyber Insurance: What is your bank doing to manage risk? presented by

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Business ebanking User Guide May 2015

Cyber Crime and Online Payment Fraud Trends

Identity Theft Prevention Policy

Checklist: Credit Union Information Security and Privacy Policies

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

The Cyber War on Small Business

Cybersecurity: Incident Response Short

Centrix Payments I.Q. System

Chapter 6 Network and Internet Security and Privacy

A (sample) computerized system for publishing the daily currency exchange rates

Cyber security tips and self-assessment for business

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

Information Technology General Control Review

VERIFICATION METHOD. Deskside User Guide

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

FDIC InTREx What Documentation Are You Expected to Have?

The Challenge of Spam An Internet Society Public Policy Briefing

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

[Utility Name] Identity Theft Prevention Program

University of Pittsburgh Security Assessment Questionnaire (v1.7)

FairWarning Mapping to PCI DSS 3.0, Requirement 10

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

The CERT Top 10 List for Winning the Battle Against Insider Threats

Seattle University Identity Theft Prevention Program. Purpose. Definitions

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Frequently Asked Questions (FAQ)

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Phishing in the Age of SaaS

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Unique Phishing Attacks (2008 vs in thousands)

The Insider Threat Center: Thwarting the Evil Insider

Security & Phishing

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Integrated Access Management Solutions. Access Televentures

Education Network Security

Transcription:

Regulator s Perspective of Best Practices in Combatting Cybercrime Executive Fraud Forum October 30, 2013 Tony DaSilva, AAP, CISA Senior Examiner Federal Reserve Bank of Atlanta

Disclaimer The views and opinions expressed in this presentation are those of the individual presenter and do not necessarily represent the views and directives of the Federal Reserve Bank of Atlanta, the Federal Reserve System, or the FFIEC. The content of the presentation should not be construed as regulatory guidance.

Topics DoS & DDoS Fraud The Primary Reason FFIEC Guidance June 28, 2011 Requirements FRS Guidance Best Practices 3

Denial of Service Attack DoS & DDoS 4

What is a denial of service attack? Objective(s): Render a service unavailable Cripple the infrastructure Typical targets: Bank Credit card payment service Mode of attack: Saturate the target with external requests for connectivity or communication

What s the end result? Result: Target server is so saturated with attack requests that it cannot respond to legitimate requests Server crashes and reboots Services slow to a crawl or are halted Is it a crime? 18 U.S.C. Sect. 1030 Felony 10 years

DoS Types Bandwidth drain: The target computer is overwhelmed by the number and size of files being simultaneously sent to it, thereby draining its available Internet connection. Resource drain: The target computer is inundated with requests, draining its resources to the point where it is no longer able to respond. 7

Distributed DoS (DDoS) A DDoS attack is performed when hundreds, or possibly thousands, of computers simultaneously request services or bandwidth from the same target computer. The attack is executed with networks of computers which are controlled by malicious software which has been installed on a user s computer. The antivirus detection rate for botnet malware is less than 40 percent. For additional information, visit: https://zeustracker.abuse.ch/index.php. 8

Readily Available Mayhem Botnet malware development kits are available for purchase over the Internet. The most recent versions may cost less than two thousand dollars. Older versions can be obtained for a few hundred dollars for free. Botnet administrators also lease their botnets on a perproject basis. The DDoS attack application software called Low Orbit Ion Cannon is available for free download from sourceforge.net. 9

DoS & DDoS Denial of Service & Distributed Denial of Service Most community banks need to work with their core processors and ISPs to help prevent or at least contain the attack. The last thing an administrator wants to deal with is a Distributed Denial of Service (DDoS) attack. Yet, together with the recent rise of hacktivism, DDoS attacks are increasingly becoming a threat that IT admins need to prepared for. The worst thing about DDoS attacks is that they do not prey on the victim s weaknesses; therefore being cautious and using the right tools and protection, as in the case of hacking attacks, is not enough. 10

DDoS (continued) Despite the threat, there s still an effective way to protect your network against these attacks network design decisions. The only way to protect against this is by having a system to identify the DDoS source and block it. This is easier said than done. Identifying the source of a DDoS attack can be tricky and, in most cases, involves tweaking an intrusion detection system (IDS) to differentiate between legitimate requests and attacks. Testing its effectiveness is not easy either. In any case, this will cause quite a few false positives. 11

DDoS (continued) Once an attack source is identified, all you need to do is configure the Firewall to block that source until the attack stops. Even so, if your Internet bandwidth is overwhelmed by requests, your site will still probably be inaccessible. 12

Financial Institution Mitigating Actions Targeted banks have been very successful in employing numerous means of thwarting the DDoS attacks. There has been unprecedented sharing of information amongst the targeted banks as well as with their regulators and other government agencies. Banks are working with service providers to address the problems and to scrub/reduce the attack volumes. Leading DDoS protection providers (Prolexic, VeriSign, Akamai, etc.) Internet Service Providers - AT&T, Verizon, etc. 13

DDoS Attacks 2012 14

Average Downtime 15

Developing Concerns Bank service providers as possible future targets Overload of key service providers attempting to mitigate the effects of DDoS attacks Attacks moving down to banks of lower asset size and with potentially less capability for managing the attacks DDoS attacks being used as a diversion while fraudulent wire transfers are being transmitted 16

Payments Cybercrime ACH & Wire Transfers 17

Technology Enabling Fraud As payments have evolved significantly, largely due to technological advancements, so has the sophistication of EFT fraud. Expertly crafted emails, malicious links on legitimate websites (such as social networking sites), and other methods are used to place malware within the networks of corporate customers. The malware then harvests security information, including login credentials, subsequently allowing the criminals to initiate electronic payments through hijacked accounts. 18

Just a Few Examples SpyEye A Zeus variant that wakes-up and steals credentials in real time. OddJob Keeps online sessions open after logout by the user Tatanga Caused a screen freeze or displays a please wait message as it conducts transactions in the background. Zeus Mitmo Steals SMS one-time passwords via Social Engineering. Can utilize Smishing to get user to download malware that forwards SMS messages Ramnit Worm It was paired with source code from the Zeus botnet, and began targeting financial institution and has the ability to bypass two-factor authentication and transaction signing systems. 19

The FFIEC Guidance Supplement Effective 1/1/2012: On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 Authentication in an Internet Banking) Environment guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud. 20

Three Primary Requirements Risk Assessments Layered Security Customer Education & Awareness 21

FRS Guidance In recognition of the constant evolution in online threats, institutions should review and update risk assessments prior to implementing new electronic financial services or at least every twelve months. Institutions should implement a layered approach to security for high risk Internet-based transactions (i.e. access to sensitive customer information and/or movement of funds to other parties), including at a minimum processes to detect and respond to anomalous or suspicious behavior relating to initial login and to transactions that transfer funds to other parties. 22

FRS Guidance For business/commercial online accounts, layered security at a minimum should include enhanced controls for users granted access or change permissions to administrative and configuration functions. Institutions' customer awareness and education programs should clearly explain the applicability of Regulation E protections to each account type accessible over the Internet. Further, institutions should take steps to see that customers are informed of security control options and alternatives. 23

Note None of the supplement's risk management expectations are specific mandates, nor does the supplement promote any specific automated or manual technologies or processes. An individual institution's control environment should be a function, in part, of the characteristics, size, and nature of its activities and customers. 24

Note Similar to the 2005 guidance, the June 2011 supplement applies to all electronic banking delivery channels, including the mobile banking channel. Whether financial institutions provide all or part of their electronic banking activities to customers through inhouse systems or outsourced, service-provider arrangements, the institutions are responsible and accountable for conformance with the 2005 guidance and the 2011 supplement. 25

Specific Practices to Mitigate Risks To mitigate some of the risk of fraudulent transactions, bank management should consider the following risk management practices: Assess risks and implement technologies that address current threats (many strong authentication technologies have been compromised) Deploy robust, multi-factor authentication; Use out-of band authentication methods (i.e., call backs, text messages) to documented contacts; Implement layered security (defense-in-depth) for high-risk transactions; 26

Specific Practices to Mitigate Risks Ensure centralized fraud detection systems facilitate monitoring across payment channels (i.e., ACH transactions, wire transfers, cards, checks, ATM transactions); Review security provisions in customer agreements (agreement alone may not alleviate bank from liability); Implement procedures for monitoring new and existing accounts (for new accounts, monitor for ACH credits money mule activity ); 27

Specific Practices to Mitigate Risks Disallow ACH debits unless specifically approved by customer; Regularly review ACH customer exposure limits (be aware that LOCs may increase potential funds accessible to criminals); Consider having the ACH Operator implement a threshold amount for origination; Implement transaction risk profiling; 28

Specific Practices to Mitigate Risks Monitor debit transaction returns including bill payment accounts; Implement third-party service provider governance and due diligence; Provide customers with robust account activity monitoring/ alerting tools; and Focus on strong customer education regarding information security management requirements and monitoring practices. 29

Specific Practices to Mitigate Risks Some points for banks to consider emphasizing in customer education include: Use of a single purpose, stand-alone computer for Internet banking (no email/web surfing/downloading); Monitor accounts daily for unusual activity notify FI immediately of any errors; Implement dual controls and separation of duties; Maintain up-to-date anti-virus, spyware and firewall protection; Use the strongest form of authentication provided by the bank; and, Apply security patches quickly, consistently and comprehensively. 30

Out-of-Band Username tokens Passwords Internet 31

For More Information FBI Alert: Fraudulent ACH Transfers http://www.fbi.gov/pressrel/pressrel09/ach_110309.htm FDIC Special Alert: Fraudulent Electronic Funds Transfers http://www.fdic.gov/news/news/specialalert/2009/sa09147.html FDIC Special Alert SA-185-2009 Fraudulent Funds Transfer Schemes http://www.fdic.gov/news/news/specialalert/2009/sa09185.html NACHA Bulletin: Corporate Account Takeovers http://www.nacha.org/docs/nacha%20operations%20bulletin%20- %20Corporate%20Account%20Takeover%20- %20December%202,%202009.pdf 32

For More Information FFIEC Guidance Authentication in an Internet Banking Environment http://www.ffiec.gov/press/pr101205.htm Identity Theft Red Flags Rule http://www.federalreserve.gov/boarddocs/srletters/2008/sr0807.htm FDIC Guidance on Mitigating Risks from Spyware http://www.fdic.gov/news/news/financial/2005/fil6605.html Interagency Guidelines Establishing Information Security Standards (GLBA) http://www.federalreserve.gov/bankinforeg/interagencyguidelines.htm 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback