Combating Internet Banking

Fraud

Hackers, Crackers and Fraudsters,

OH MY!

Agenda

• Cyber Definitions

• Current Statistics

• Threats

• Bank and Customer Partnership

• Risk Mitigation

• Multi Layer Security

Cyber Definitions • Viruses A virus is a small piece of software that piggybacks on real programs. Many

viruses are picked up from

email attachments

links in an email

external hard drives, including thumb drives

infected websites.

Cyber Definitions

• How to handle email attachments

New viruses are constantly created. Almost every type of file (for example: .doc, .xls, .jpg, .com, and .exe) now has a virus associated with it. There is no sure way to tell if an email attachment has a virus by looking at the file name or type.

• Some best practices for preventing email viruses are: - The antivirus software installed on your pc or network scans all incoming

emails and removes almost all attachments that have viruses.

- Do Not open email attachments from unknown sources

- If you think you are infected with a virus, contact your computer vendor

Cyber Definitions

• A virus infestation can create System lock ups for no apparent reason

Data Files are erased automatically

“File not found” messages become common place

Memory errors occur with trash or unexpected data being displayed on the monitor

Software packages become inaccessible from the main menu.

A disk light comes on when there is no disk activity

The PC does not respond to keyboard strokes.

Cyber Definitions

• Spyware

What is Spyware?

Spyware is harmful software that takes control over part of a computer’s operation. There is no consent from the user of the software to be installed or run on the computer. It secretly watches the user for the benefit of a third party. Spyware can come with downloaded software such as music files, free offers, surveys, etc. The user downloads a program, such as a music program or a file trading utility and installs it. The program also installs spyware.

Cyber Definitions There is no definite set of symptoms to detect cyber threats. Each threat can work

in different ways. However, the following items reflect some characteristics to look for that might be helpful in recognizing a problem.

A spyware infestation can create:

“Pop up” advertisements appear when browser is not running or when the system is not even connected to the internet.

An unfamiliar search toolbar or other browser toolbar appears without being requested or installed.

slower network traffic system crashes problems connecting to the internet

Cyber Definitions

• Phishing

What is Phishing?

Phishing is when a thief poses as a valid business and sends emails as that business to get information such as credit card numbers, passwords or pins.

Phishing is similar to fishing because phishers send out emails to a large number of people and wait to see who bites.

Cyber Definitions

• How to avoid Phishing The best way to avoid phishing is to inspect all emails that you receive

from your financial institution, credit card company and online stores. Some common clues that an email is a fraud:

Personalization: Many phishing emails are not personalized; they are addressed to a generic user. This is because phishers send out mass emails to as many emails they can find. Phishers often do not have the names associated with each email address as your financial institution or credit card company would.

Cyber Definitions

• How to avoid Phishing – Continued

Links: Look carefully at the links within an email. Links in phishing emails often use extra periods and words in the web address. If you are unsure do not click on the link within the email, call your financial institution but do not use the phone number listed in the email.

Advanced Phishing: A new phishing attack has been targeted to financial institutions. It is unique because it links to the institutions actual website instead of redirecting to a false website. The attack is embedded within the link and captures username and password information for future use. Again, as the attacks become more sophisticated always call the financial institution to confirm the email.

Cyber Definitions • Other key definitions

Keylogger – like spyware software or hardware it is attached to your pc with the intention of capturing key strokes to find login information, answers to security questions, credit card numbers etc. The captured information is sent or dumped to the fraudsters chosen destination.

Money mule – A money mule is an individual or a group of individuals used to filter and transfer stolen funds to the actual fraudsters, typically in foreign countries. Some money mules are just as much victims of the fraud that is occurring as we are.

Combat Methods New approaches are needed to combat today’s methods of online

attacks.

From the beginning of online banking, security practitioners at banks focused on the threats that attackers would present to online banking applications.

On the positive side, externally originated attacks against the online banking websites generally are unsuccessful because of the focus given to firewalls, monitoring systems and secure networks surrounding those applications.

Combat Methods • The steps below should be followed immediately in

the event a virus/cyber threat is suspected.

Immediately stop all processing on the infected PC

Notify your computer vendor and have the pc scanned for viruses/ and or spyware

Unplug the network/internet cable

Do Not back up a system with a detected/suspected virus until the threat has been eliminated.

The Attackers have now changed their

focus to you. Why you? Lack of Security – no firewall, no network monitoring devices.

Lack of employee controls

How do they get to us? What are their Attack Channels?

o Phishing sites – a spoofed e-mail directs the victim to check or correct their internet banking logon credentials and contains a link to a phished (fake) website.

o E-mail attachments and websites – victim receives spam e-mail or searches for a web site that then entices the user to open an attachment that actually downloads a virus, spyware or a key logging application that captures any key strokes made on the pc.

o Physical access to your pc to install a keylogging device.

Current Statistics

• 120,000,000 new malicious programs – 1st half of 2010

• Phishing – at the end of June 2009 ~ 50,000 sites

• It’s all about the money – Banking Trojans – over 200,000 variants – 61% of Trojans are Banking Trojans

• 120 million in losses due to fraudulent EFT’s in the 3rd quarter of 2009

Threats • Stolen login credentials • Answers to challenge questions

compromised

• Pop-ups claim your PC is infected • Usually have Trojan Programs

embedded

Threats Fraudster logs in with valid ID and

Password/PIN retrieved through

PC compromise - Keylogging software uploaded

Poor User Administration of Credentials

Use of Shared Login credentials among multiple users

No current anti-virus on pc

Internet usage by employees

E-Banking Bandits Stole $465,000

From California Escrow Firm

Bank/Customer Partnership

• Create a Partnership with your bank to safeguard your accounts against Fraud.

• Fraudsters are constantly looking for new ways to defraud consumers.

• Implementing a layered security approach is the best way to prevent fraud.

Physical controls for pc access

Anti –Virus

Strong Password requirements

Multi Factor Authentication

Dual control for processes

Employee Control over internet and e-mail access

Password Settings • Password expiration is 180 days

• Do Not reuse passwords – fraudsters sometimes wait to use the information they received at a later date.

• Minimum password length- 8 characters that must contain

– Upper and lower case alpha characters

– At least one number

– At least one special character

• Users have a better chance of avoiding fraud if their credentials change periodically.

Multi Factor Authentication

• User ID & Password – required minimum

• Security Questions – transactions over $1,000 automatic prompt

• Water mark chosen by customer

• Call back for failed authentication

• Tokens – change # every 1 minute

• Volume, value and frequency controls

• Fax or e-mail confirmation

Customer Best Practices Create dual control processes for file transfer origination

Never share or write down your online financial banking password.

Restrict internet usage on internet banking pc

Install & Update anti-virus/malware software

Train employees on e-mail usage, internet usage and phishing scams.

Avoid sending sensitive information in unencrypted emails.

Always sign out of your internet financial banking session when stepping away from your computer.

Review account activity daily

Notify the financial institution if you suspect a breach of your account.

Safe Internet Banking

• As use of the internet continues to expand, more banks are using the Web to offer products and services to customers.

• The internet offers the potential for safe, convenient new ways to conduct banking business, any day, any time. However safe banking online involves making good choices – decisions that will help you avoid costly surprises or even scams.

Protect yourself from Fraudulent

Web Sites • Watch out for copycat Web sites that

deliberately use a name or Web address very similar to, but not the same as, that of a real financial institution.

• The intent is to lure you into clicking onto their Web site and giving your personal information, such as your account number and password.

• Always check to see that you have typed the correct Web site address for your bank before conducting a transaction.

Identity Theft Resources • If you have been scammed by a phishing email you should:

Contact the Fraud Department of one of the three consumer reporting agencies, Equifax, Experian, or Transunion and place a fraud alert on all accounts.

Contact the company or Financial Institution where your tampered accounts are held.

File a report with the local police. Get a copy of the report.

File a complaint with the Federal Trade Commission (FTC).

These steps plus more information about Identity Theft

Can be found on the Federal Trade Commissions Identity

Theft website at http://www.ftc.gov/bcp/edu/microsites/idtheft/

Identity Theft Resources

• The FDIC has several online videos about protecting yourself from identity theft. These online videos are free.

• Visit the FDIC’s consumer resources webpage at http://www.fdic.gov/quicklinks/consumers.html