Transcript RM Roadshow

Here Phishy, Phishy…
Don’t Take the Bait
Protect your Company from Payment Fraud
James Emerson
Vice President-Controller
U. S. Risk Insurance Group, Inc.
Steven Bullitt
Assistant to Special Agent
in Charge
United States Secret Service
Neal Baker
Senior Vice President
Director of Corporate Security
and Fraud Investigations
Texas Capital Bank
Moderator:
Duane Reaves
Treasury & Liquidity Solutions
Texas Capital Bank
0
Agenda
 Introduction of Panelists
 Key Messages
 Setting the Stage
 Magnitude of the Problem
 Zeus Bot Confidential
 Into the Deep-Panelists’ Experiences
 Protections and Recommendations
 Terms
 Q&A
1
Key Message
Fraud is here to stay…whether it internal,
external, electronic or paper-based… it is worse
than you thought
 Prevention is not just about utilizing the latest technology
but involves an active application of common sense
 Cybercrime looks like a business, walks like a business, talks
like a business and the opponents are intelligent and nimble
 No organization is immune from internal or external fraud
 Check fraud is still rampant; ACH fraud is on the rise with
more corporations moving to electronic payments and cyber
fraud has only begun
2
Background
Cybercrime is widespread and mainstream…
 Velocity of business account takeover is increasing
 Thousands of strains of malware are delivered at a rate
outpacing the ability for anti-virus software to mitigate threats
on a real time basis
 Cyber attacks are costly with an average cost of $18k per day
with a median cost per company of $3.8 million annually
 Cybercrime is a $70 billion industry in the U.S. with a dedicated
career-minded “workforce” forming a underground economy
 Zeus Trojan infiltration spans 196 countries with an estimated
3.6 million infected computers in the U.S. alone and has
already infected virtual cloud computing networks
 Social networking is tipping the knowledge scale in favor of the
“phishers”
3
Background
Names in cyber news…
 In 2009, 74,000 FTP accounts on websites of companies
such as NASA, Monster, ABC, Oracle, Cisco, Amazon and
BusinessWeek were compromised
 Zeus has sent out over 1.5 million phishing messages on
Facebook
 Zeus has spread emails purporting to be from major
corporations such as the instance of nine million from
Verizon Wireless alone
4
Background
Not to be outdone non-electronic payment fraud
is also a thriving business…
 Over 90% of all attempted payment fraud today still involves
checks
 Counterfeit checks using the organization’s MICR line data is
the most prevalent form of check fraud
 Altered payee names on checks also ranks very high in the
incidence of fraud
 Altered employee pay checks also scores as the third most
prevalent form of check fraud
5
Magnitude of the Problem
You know things are bad when…
 There are 93 Computer Crime Task Forces in United States
alone
 The FBI had a major cyber fraud takedown called Operation
Phish Phry
 We now have a National Cyber Security Awareness Month
 The Electronic Crimes Task Force of the U.S. Secret Service
has been in existence now for 16 years
6
Threat Environment
Coordinated
Attacks
Terrorists
Higher
Higher
Greater
Fewer
Man-in-the
Browser with
Zeus Bot
Organized Cyber
Crime Rings
Hybrid
Worms
Level of Sophistication
Number of Incidents
USPS and
Lockbox Check
Theft
Pay-off
Rogue Employees
Viruses
Barriers to Entry
Phishing
ACH Kiting
Organized Crime
Rings
Whaling
Known Mitigates
Hired Hackers for
Corporate
Espionage
Hobbyists/
Cyber Vandals
Fewer
Lower
Lesser
Lesser
Many
Counterfeit
and Altered Checks
Internal
theft
More
7
Zeus Bot Confidential
 Zeus is available for purchase in underground forums for
$700
 $4000 buys the latest version and there are published “going
rates” for an array of fraudulent services
 You can get it for free, if you don’t mind pirating software...and
what hacker does?
 Software incorporates copy protection mechanisms to
attempt to prevent piracy, thus illustrating the intent of the
organization to run as a “business”
 Zeus organization is thought to operate out of the Ukraine,
Latvia and other countries
 Organization is rumored to have a “support staff” of over
500
8
Zeus Bot Confidential
•
•
•
•
Malware exploiters purchase malware
They utilize it to steal banking credentials
They launch attacks from compromised machines
They transfer stolen funds
• Mules receive and transfer stolen funds
• They retain a percentage of the funds
• Victims include individuals,
businesses and financial
institutions
Malware
Exploiters
Malware coders
program software to
exploit a computer
vulnerability and sells
on the black market
Money Mules
Victims
9
Zeus Bot Confidential
Email Received by Victim or Victim Visits a Legitimate
Website
Attachment contains malware or malicious script is on website
Work Station Compromised
Victim is infected with credential stealing software and banking
credentials are stolen
Cycle
Repeats
Hacker Engages
Hacker receives banking credentials and remotes into victim’s computer via
a compromised proxy and logs into victim’s online banking service
Stolen Funds
Mules
Mules receive stolen funds and retain
percentage
Money Transferred
to Fraudulent
Companies
Mules
Money moved offshore
Mules
Money laundered
10
Into the Deep-Panelists’ Experiences
11
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Account Structure
Minimize number of accounts
Use unique serial number ranges for specific purposes, not new accounts
Segregate accounts at greater risk
Check Supply
Use established vendor
Use unique check style for each account type
Monitor delivery of orders and inform vendor if not received
Use check stock with security features such as fluorescent fibers,
watermarks, chemical resistance, bleach reactive stains,
thermochromatic ink, microprinting warning band and more
Use secured storage with controlled access for check stock, check
printing equipment, endorsement stamps and cancelled checks
12
Fraud Awareness Checklist
Common
Technology
Sense
Assisted
Internal Controls
Use dual authorization for ALL monetary transactions including online
ACH originations, ACH direct transmissions, Wire Transfers and RDC
Formally and regularly review internet security
Set
not
pet
not
policies regarding passwords such that 1) the same passwords are
used for different applications, 2) they are not easy to guess, e.g.
or children's names, etc 3) they contain special characters and are
just alphanumeric and 4) they are changed often
Mask account numbers and EINs on correspondence
Conduct surprise audits
Never sign checks in advance
Review and update signature cards annually
Use only dedicated, standalone computers for online banking where
email and web browsing are not allowed
Set policies to disable user IDs and passwords during leaves and to
never pre-fill password at log-on
13
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Anti-Virus and Spyware
Do not open attachments to an email if the subject line or email itself
looks suspicious or unexpected
Do not download from unfamiliar file sharing sites
Aggressively update your anti-virus applications regularly
Schedule anti-virus software to run daily and automatically
Install a firewall as a first line of defense against hackers with defaultdeny configuration
Utilize security certification verification software
Employ intrusion analytics software
Prepare, implement and practice an incident response plan.
Install perimeter spam and malicious content filtering
14
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
System-Focused Controls
Require complex passwords and PINs
Limit physical access to supporting technologies and servers
Store system and data backups in a protected, encrypted manner
Instruct token users to report lost or stolen tokens immediately and
disable them immediately
Implement network and host-based firewalls, anti-virus, and intrusion
detection software
Ensure servers and desktop systems are patched
Implement regular vulnerability assessments on systems and correct
any identified issues
Instruct users to watch for, and report, unusual system behavior
15
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Transaction Controls
Review and reconcile accounts daily and monthly
Validate vendor legitimacy and account information by performing a callback if invoice is suspect or there is a change of address request
Formalize procedures to securely retain then safely shred checks after
remote deposit
When possible convert paper payments to electronic
Implement policies requiring employees to always log-off not just wait
for automated timeout
Do not provide your EIN unless required for a validated need
Secure your check stock or other negotiable documents and manage
under dual control
Secure your workplace-deter non-employees from accessing files
including trash bins
Maintain ACH and wire limits as low as possible
16
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Staffing
Limit authorizations to appropriate employees
Segregate duties between staff that issues payments and those that
reconcile
Rotate banking duties to prevent collusion
Review system access privileges for all employees regularly
Proactively provide education on phishing and other cybercrime
Screen and log temporary help and vendors that come on site
Promptly deactivate employee access cards for temporary or laid-off
staff
Promptly collect security tokens and deny computer access for
temporary or laid-off staff
17
Fraud Awareness Checklist
Common
Sense
Technology
Assisted
Banking Services-Paper Transactions
Validate the legitimacy of checks presented by using Positive Pay
Designate accounts for use in electronic transactions only and block
checks from debiting
If inbound check volume warrants, use a Lockbox for segregation of
duties
Banking Services-ACH Transactions
Stop all ACH originators from debiting your accounts by using Debit
Blocks
Ensure only authorized originators can access accounts for
predetermined amounts by using Debit Filters
Validate the legitimacy of ACH debits presented by using ACH Positive
Pay
18
Key Message
If you don’t do anything else….
 Never leave check stock unsecured
 Never share passwords and user names
 Never leave payment and reconcilement is the hands of
the same individual(s)
 Educate employees to be suspicious of emails from banks
or government agencies requesting information
 Consider standalone PCs for online banking
 Rehearse your preparedness plan if you are compromised
 Use Positive Pay and ACH Debit Blocks
 Always initiate ACH and wire transfers under dual control
 Install antivirus and security software on all PCs
19
Terms
Phishing
Whaling
 Swindling people out of log-in
information by representing themselves
to be a representative of a legitimate
organization
 Attempt to hijack the personal computers of
top-ranking business executives

Widespread targeting countless people
usually through spam
 Targeting a specific individual and
formulating messages to appeal specifically
to them
 Victims are carefully chosen and tricked
into opening an attachment containing
embedded code allowing a hacker to take
over their computer, browse their files, etc
 Personal information is often used from
LinkedIn and other sites for use a “hook”
Man-in-the Middle
Man-in-the Browser
 “Eavesdrops” on communication
between two systems and then hijacks
the connection. Once the connection is
hijacked, unauthorized activity begins
and the authorized user is blocked or
delayed.
 Similar to Man-in-the-Middle attack, but in
this case data is manipulated before it is
sent to company and presented to user. For
example, screen displays the correct
account number, but the transmissions use
a different account number.
 Also known as bucket-brigade attack or
Janus attack
20
Terms
Reverse Phishing
ACH Kiting
 Fraudsters send emails to corporations  Similar to check kiting, ACH kiting
providing fraudulent banking
involves multiple accounts used for
information redirecting ACH payment
fraudulent purposes
to an account they control
 ACH debits are originated from one
account and drawn on the other with the
available balance taken out before
settlement
Insider ACH Origination Fraud
ACH Counterfeiting
 Insiders at a bank or merchant alter an
 ACH debits are generated from the
electronic conversion of a counterfeit
check
ACH file to skim funds from a company
21
Thank You and Be Safe!
The recommendations in this document are suggestions and each company’s situation is unique.
Consult appropriate advisors in implementing your fraud protection program.
22