January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Similar documents
ASSESSMENT LAYERED SECURITY

Best Practices Guide to Electronic Banking

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

Regulator s Perspective of Best Practices in Combatting Cybercrime Executive Fraud Forum October 30, 2013

Web Cash Fraud Prevention Best Practices

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Authentication and Fraud Detection Buyer s Guide

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Securing Office 365 with SecureCloud

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Business Online Banking & Bill Pay Guide to Getting Started

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Keep the Door Open for Users and Closed to Hackers

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Cyber Insurance: What is your bank doing to manage risk? presented by

FFIEC Guidance: Mobile Financial Services

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC CONSUMER GUIDANCE

Guide to Getting Started. Personal Online Banking & Bill Pay

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Red Flags/Identity Theft Prevention Policy: Purpose

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

How Cyber-Criminals Steal and Profit from your Data

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

FFIEC CONSUMER GUIDANCE

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Automated Context and Incident Response

First Republic Bank Corporate Online User Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cybersecurity The Evolving Landscape

Using Security to Lock in Commercial Banking Customers

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

JHA Payment Solutions. MASTER Site Funds Verification jxchange. Client Training Guide. ipay Solutions December 2016

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Personal Online Banking & Bill Pay. Guide to Getting Started

Centrix Payments I.Q. System

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

PCI Compliance. What is it? Who uses it? Why is it important?

Commercial Online Banking. Quick Reference

The Double Edged Sword of Mobile Banking

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

2010 Online Banking Security Survey:

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

locuz.com SOC Services

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

FFIEC Compliance Guide

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Identity Theft, Fraud & You. PrePare. Protect. Prevent.

Business ebanking User Guide May 2015

Federal Reserve Bank 2016 Mobile Banking & Payments Survey

Account Takeover: Why Payment Fraud Protection is Not Enough

the SWIFT Customer Security

Secure Access & SWIFT Customer Security Controls Framework

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

THE ACCENTURE CYBER DEFENSE SOLUTION

NOT-FOR- PROFIT SERVICES GROUP Client Information Bulletin

CloudSOC and Security.cloud for Microsoft Office 365

Ouachita Baptist University. Identity Theft Policy and Program

IBM Future of Work Forum

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Accelerating growth and digital adoption with seamless identity trust

2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

SFC strengthens internet trading regulatory controls

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Capital Bank Express User Guide. The Tech Behind the Money

It s Cyber Warfare. How financial institutions can implement identity-based security to win the war against online attacks

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

CA Security Management

Managed Endpoint Defense

VERIFICATION METHOD. Deskside User Guide

RSA Web Threat Detection

Best Practices in Securing a Multicloud World

huntington Business security suite user guide

Regulation P & GLBA Training

Teradata and Protegrity High-Value Protection for High-Value Data

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

Business Online User Guide July 2017

Retail/Consumer Client Internet Banking Awareness and Education Program

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

FFIEC Compliance Guide

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

CYBER RESILIENCE & INCIDENT RESPONSE

Emerging Issues: Cybersecurity. Directors College 2015

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

THALES DATA THREAT REPORT

Cyber security tips and self-assessment for business

Higher Education Privacy Update

Securing Your Most Sensitive Data

Transcription:

January 23, 2012 Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Risk Management Rajiv Donde - CEO Laru Corporation

Agenda Risk Premise FFIEC prescription for a layered security approach Understanding the layers The Measure/Control paradigm Examples of ACH risk measurement Examples for ACH risk control tools Risk Management recommendations 3

Perspective on Risk Banks are in the business of managing risk Continuous risk management through temporal study of transaction patterns is necessary & critical Checking new transactions against historical transaction patterns, is critical to catching anomalies Banks have 100% control of their historical transaction data 4

Layered Security Idea Point of Login Device verification Authentication Point of fund transfer Behavior pattern Historical transaction based Rules based Post transaction Analysis Trends NACHA rule violations Returns Analysis Limit Analysis Device Fund Transfer Website Analysis 5

FFIEC s Layered Approach Weak component Browser Based Security Consumers use weak passwords and old browsers FIs have no control over the devices used by customers Criminals are sophisticated, while anti-virus tools merely play catch-up Strong component Internal anomaly detection Establish patterns of transaction behavior Quarantine out-of-pattern transactions Adopt a rule based approach to catch not-normal transactions 6

Measure/Control Paradigm Risk Control (ACH Vision) Pre- Existing Processing Software Fed Systems Risk Measurement (ACH-Clarity) FRAUD Complete C:\Vision\In C:\Processor\In C:\Fed-Ready C:\Archives 7

Risk Measurement - Examples Volume Analysis monthly / yearly SIC Code Third party sender analysis Unauthorized returns Transaction volume & dollar limits NACHA rule violations 8

Examples of Risk Measurement Trends Monthly Volume 9

Examples of Risk Measurement Trends Activity by SIC Code 10

Examples of Risk Measurement Trends Third Party Senders Third Party Senders are shown with origination and return details for their individual customers 11

Examples of Risk Measurement (By R7,R10,R29 Unauthorized Returns) Unauthorized Returns includes - R7, R10, R29 12

Examples of Risk Measurement Origination and Return Activity Limits Over limit Approaching limits 13

Examples of Risk Measurement ACH Rules Violations Violation types shown here 14

Why Risk Management Automation Common reasons stated by customers Need for automated quarantine mechanism for fraudulent/risky/ problem transactions Legacy systems lack adequate monitoring & reporting features Dodd-Frank, FFIEC and other regulatory safety concerns Manual risk monitoring and reporting methods are error prone, costly and inadequate for needs of Governance, Risk & Compliance (GRC) Reputation, operational and financial risks causing urgency for automated risk measurement and control 15

Example of Risk Control Man in the Browser Duplicate Files Exposure Monitoring Keywords/OFAC File Integrity 16

Example of Risk Control - Exposure Monitoring Uses the client s return rate and received returns to calculate the exposure from outstanding returns or unfunded credits. 17

Examples of Risk Control Keywords & OFAC Poker Tobacco OFAC Uses a nightly OFAC update plus client specific key words to block files. 18

Examples of Risk Measurement ACH File Integrity Uses a variety of checks to detect evidence of file tampering. This includes incorrect batch totals, invalid ABA numbers and more. 19

Risk Management Recommendations Use a Business Intelligence tool to analyze historical transactions and organize these into actionable patterns Next, combine your online bank application with a automated tool to catch anomalies from the established patterns Extend this methodology across the various payment channels For additional information, please contact: Rajiv Donde - CEO Laru Corporation rajiv@larucorp.com 916-932-7034 20

Internet Banking Security Package Cheryl Dunnahoo, Solution Consultant First Data Online Banking Solutions (FundsXpress)

Internet Security Landscape Consumers increasingly concerned about online security An overwhelming 85 percent of survey respondents expressed significant concern about the safety of sending information over the Internet. -Identity Theft Resource Center Regulation and compliance FFIEC adds another layer of regulation for financial institutions to manage Internet banking security threats evolving Organizations are no longer facing challenges from individual hackers or even small groups of hackers. Instead, threats are coming from highly organized, well-funded crime networks, or even state-sponsored actors. - Khalid Kark, Analyst, Forrester 22

Minimum Standards for Risk Management Program Protect Detect Respond 23

First Data Action Innovation and strong strategic partnerships 1 First Data provides FI s the tools to remain competitive and compliant in an increasing hostile online environment 2 Internet Banking s multi-layered security package can help your institution and your customers remain safe and 3 secure through all stages of the Internet banking transaction Multi-layered security helps your institution to remain compliant in accordance with the recent FFIEC Authentication Guidance Updates 24

Internet Banking Security How the Internet Banking Security package works The basic Internet banking security package is a suite of monitoring tools that comes fully integrated with our Internet banking solutions Alerts Intrusion Detection Large Transaction Report Validation Engine Identify Verification Multi-factor Authentication Unusual Login Activity Report 25

Layered Security Features BEFORE Transaction DURING Transaction AFTER Transaction Trusteer IronKey Multifactor at login VeriSign security tokens IP address restrictions Multifactor at transaction screens VeriSign security tokens Dual control for high risk transactions Transaction limits Notify Me Security Alerts & Bill Pay Alerts Laru ACH Clarity/Vision Unusual Login Reports Large Transaction Report ACH Origination Risk Summary Report 26

Layered Security Features BEFORE the transaction Our partners offer IP reputation based tools to block connection to known or suspected fraudulent sites providing an extra layer of protection to your Internet banking users Trusteer Rapport is anti-fraud software that can be quickly deployed to FI s internet banking users Prevents malware from exploiting browser vulnerability and infecting the endpoint Protects personally identifiable Information from theft by malware and via phishing attacks Totally transparent to the end user and does not require changes to the user environment or workflow IronKey Trusted Access is a secure browser available as a downloadable app or portable device Reduces risk by providing a safe oasis from crimeware using keylogging, man-in-browser, phishing, and other attacks Enforces online banking use-only policy; connects only to FI-approved websites Deploys quickly with cloud-based management 27

Layered Security Features BEFORE the transaction Score at Login: 1.573 Hour: 4.858 Network: 0.025 Browser: 0.814 Frequency: 1.431 Cookie: 0.738 Score at Login: 8.857 Hour: 4.285 Network: 10 Browser: 10 Frequency: 10 Cookie: 10 Multi-factor Authentication! If difference in behavior score at login is high, the user is required to provide additional authentication, such as a one time PIN sent to a mobile device or security token. Multifactor at login Users can be presented with additional authentication requirements at login based on unusual login behavior Additional authentication requirements can be set for high risk commercial customers vs. retail customers MFA options include security questions, one time PIN delivered via email or SMS, or security token VIP security tokens FI can require a user to always use a security token to generate a one time PIN required to login to Internet banking Totally integrated within Internet banking/fxim Potential hackers are locked out! Adds another physical layer of security Optional token fulfillment service available 28

Layered Security Features DURING the transaction Multifactor access to transactions Users can be presented with additional authentication requirements when accessing certain transaction pages. Different requirements can be set for high risk commercial customers vs retail customers. MFA options include security questions, one time PIN delivered via email or SMS, or security token. VIP security tokens FI can require any user to always be required use a one time PIN generated from a security token to access certain transaction pages. Adds another physical layer of security. 29

Layered Security Features DURING the transaction Dual control for high risk transactions FI can set business/focus customer to always mandate dual control for high risk ACH origination and wire transfer transactions Business/focus customer can also require additional dual control for sub-user access to initiate/approve high risk transactions Transaction limits FI sets transaction limits for high risk ACH origination and wire transfer transactions Business/focus customer can also set transaction limits for high risk ACH origination and wire transfer transactions initiated/approved by their sub-users 30

Layered Security Features DURING the transaction Comprehensive risk management and fraud prevention solutions using Laru s proprietary business intelligence methodology ACH fraud detection and prevention through the analysis of real originator behavior and similar Wire fraud detection to come in 2012 Originator-centric rules engine to quarantine, review, and approve risky transactions Out-of-band customer communications Change management with audit reporting 31

Layered Security Features AFTER the transaction Unusual Login and Transaction Reports User logins are analyzed against the user s historical profiles to determine a difference in behavior (DIB) score real-time at login. An Unusual Login Activity report of all logins are delivered to the FI for the prior day s login activity Behavior factors taken into account include hour, network, browser, frequency, click and duration. Provides details of user s login and session activity. Large transaction report lists all online transactions over a specified amount set by the FI. 32

Conclusion A layered security approach is the safest and most secure approach to your internet banking solution. Ensuring your financial institution and clients are secure before, during and after the transaction is crucial in protecting valuable and highly confidential information. Does your Financial Institution meet the required elements for a layered security program? For more information, please visit or contact: Cheryl Dunnahoo First Data Cheryl.Dunnahoo@firstdata.com (512) 493-2701 Jack McDonald First Data Jack.Mcdonald@firstdata.com (512) 493-2903 33

Q&A 34

Appendix 35

FFIEC Layered Security Requirement Solutions 1. Detect and respond to suspicious activity 1 Unusual Login Activity report daily summary and real time alerts Daily ACH Origination Summary report Monthly ACH Customer Summary report Daily Wire Transfer Summary report Daily Large Transaction report Large bill pay transaction reports Payee alerts for ACH origination and wire transfers Fraudnet for Fiserv bill pay users (optional) Business partner, Laru, offers software tools to assist institutions in monitoring unusual ACH transactions as well as NACHA file editing capabilities Business partner Trusteer offers tools to detect end-users who may be infected w/malicious software as well as forensic tools to help institutions respond to incidents 36

FFIEC Layered Security Requirement Solutions 2. Control of administrative functions 2 Dual control for FI s FXIM admin user activity Mandatory FXIM admin access restrictions by IP address and/or day/time Dual control at sub-user level for ACH Origination and Wire Transfer activity Daily Sub-User Admin Audit report Mandatory new sub-user security alert 37

FFIEC Guidance Controls Requirement Solutions 1. Fraud detection and monitoring systems 1 Behavior based MFA logic which considers a number of factors to detect unusual login activity Mandatory large transaction alerts to end user via email/sms text: Onus transfers External transfers ACH Origination batch Wire transfer batch Online bill payment Mandatory new or revised bill payment payee alert Unusual Login Activity report real time and daily summary Daily Large Transaction report Large Bill Payment Transaction report Fraudnet for Fiserv/CheckFree bill pay activity (optional) ACH Origination Customer Summary report Mandatory security alerts for password, email, mobile phone # and security question/answer changes 38

FFIEC Guidance Controls Requirement Solutions 1. Dual customer authorization through different access devices 2 Dual control for commercial activity (ACH origination, wire transfers) Dual control for sub-user administration One time PIN sent to email or mobile device for MFA Security token PIN (optional hardware or mobile application token device) Planned 2012 enhancement: 2-way text authorization (vs. one way alert) 39

FFIEC Guidance Controls Requirement Solutions 1. Out of band verification for transactions 3 One time PIN sent to email/mobile device for MFA Security token PIN (hardware or software token device) - optional 40

FFIEC Guidance Controls Requirement Solutions 1. Use of positive pay debit blocks and other techniques 4 Business partnership with Laru to provide the ACH Vision software 2012 enhancement: ACH positive pay; approved originator list 41

FFIEC Guidance Controls Requirement Solutions 1. Enhanced controls over account activities 5 Transaction limits for external transfers, ACH origination and wire transfer requests Mandatory New / Changed Payee alerts bill pay Payee alerts for ACH origination and wire transfers End-user IP address restrictions 42

FFIEC Guidance Controls Requirement Solutions 1. IP reputation based tools to block connection to known or suspected fraudulent sites 6 Business partner Trusteer s Rapport software - Rapport is compact security software that prevents malware infection and protects personally identifiable information (such as internet account credentials) from theft by malware and via phishing attacks. Business partner IronKey s Trusted Access downloadable app or portable device - Trusted Access is a secure browser that runs from a read-only environment to protect users and reduce risk of account takeovers. The secure browser connects only to FIapproved websites. Deploys quickly using cloud-based management with additional, integrated security layers coming soon including out-of-band authentication and built-in analytics. Ongoing monitoring of suspect IP addresses by First Data s Security Monitoring Center End-user IP address restrictions 43

FFIEC Guidance Controls Requirement Solutions 1. Enhanced control over account maintenance activities performed by customers or through customer service channels 7 Business Partner Trusteer s Flashlight solution and monitoring console Planned 2012 enhancement: FX Sample Policies and Procedures will be updated 44

FFIEC Guidance Controls Requirement Solutions 1. IP reputation based tools to block connection to known or suspected fraudulent sites 8 Dual control for FXIM admin user activity Mandatory admin access restrictions by IP address and/or day/time Daily Sub-User Admin audit report Mandatory new sub-user security alert Dual control for sub-user administration 45

FFIEC Guidance Controls Requirement Solutions 1. Enhanced customer education to increase awareness of fraud risk and techniques the customer can use to mitigate risk 9 Security education tools, sample targeted notifications, and banner ads are available on our client support site Links to free educational resources 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback