combating internet banking fraud - american bank · 2017-08-18 · restrict internet usage on...
TRANSCRIPT
Combating Internet Banking
Fraud
Hackers, Crackers and Fraudsters,
OH MY!
Agenda
• Cyber Definitions
• Current Statistics
• Threats
• Bank and Customer Partnership
• Risk Mitigation
• Multi Layer Security
Cyber Definitions • Viruses A virus is a small piece of software that piggybacks on real programs. Many
viruses are picked up from
email attachments
links in an email
external hard drives, including thumb drives
infected websites.
Cyber Definitions
• How to handle email attachments
New viruses are constantly created. Almost every type of file (for example: .doc, .xls, .jpg, .com, and .exe) now has a virus associated with it. There is no sure way to tell if an email attachment has a virus by looking at the file name or type.
• Some best practices for preventing email viruses are: - The antivirus software installed on your pc or network scans all incoming
emails and removes almost all attachments that have viruses.
- Do Not open email attachments from unknown sources
- If you think you are infected with a virus, contact your computer vendor
Cyber Definitions
• A virus infestation can create System lock ups for no apparent reason
Data Files are erased automatically
“File not found” messages become common place
Memory errors occur with trash or unexpected data being displayed on the monitor
Software packages become inaccessible from the main menu.
A disk light comes on when there is no disk activity
The PC does not respond to keyboard strokes.
Cyber Definitions
• Spyware
What is Spyware?
Spyware is harmful software that takes control over part of a computer’s operation. There is no consent from the user of the software to be installed or run on the computer. It secretly watches the user for the benefit of a third party. Spyware can come with downloaded software such as music files, free offers, surveys, etc. The user downloads a program, such as a music program or a file trading utility and installs it. The program also installs spyware.
Cyber Definitions There is no definite set of symptoms to detect cyber threats. Each threat can work
in different ways. However, the following items reflect some characteristics to look for that might be helpful in recognizing a problem.
A spyware infestation can create:
“Pop up” advertisements appear when browser is not running or when the system is not even connected to the internet.
An unfamiliar search toolbar or other browser toolbar appears without being requested or installed.
slower network traffic system crashes problems connecting to the internet
Cyber Definitions
• Phishing
What is Phishing?
Phishing is when a thief poses as a valid business and sends emails as that business to get information such as credit card numbers, passwords or pins.
Phishing is similar to fishing because phishers send out emails to a large number of people and wait to see who bites.
Cyber Definitions
• How to avoid Phishing The best way to avoid phishing is to inspect all emails that you receive
from your financial institution, credit card company and online stores. Some common clues that an email is a fraud:
Personalization: Many phishing emails are not personalized; they are addressed to a generic user. This is because phishers send out mass emails to as many emails they can find. Phishers often do not have the names associated with each email address as your financial institution or credit card company would.
Cyber Definitions
• How to avoid Phishing – Continued
Links: Look carefully at the links within an email. Links in phishing emails often use extra periods and words in the web address. If you are unsure do not click on the link within the email, call your financial institution but do not use the phone number listed in the email.
Advanced Phishing: A new phishing attack has been targeted to financial institutions. It is unique because it links to the institutions actual website instead of redirecting to a false website. The attack is embedded within the link and captures username and password information for future use. Again, as the attacks become more sophisticated always call the financial institution to confirm the email.
Cyber Definitions • Other key definitions
Keylogger – like spyware software or hardware it is attached to your pc with the intention of capturing key strokes to find login information, answers to security questions, credit card numbers etc. The captured information is sent or dumped to the fraudsters chosen destination.
Money mule – A money mule is an individual or a group of individuals used to filter and transfer stolen funds to the actual fraudsters, typically in foreign countries. Some money mules are just as much victims of the fraud that is occurring as we are.
Combat Methods New approaches are needed to combat today’s methods of online
attacks.
From the beginning of online banking, security practitioners at banks focused on the threats that attackers would present to online banking applications.
On the positive side, externally originated attacks against the online banking websites generally are unsuccessful because of the focus given to firewalls, monitoring systems and secure networks surrounding those applications.
Combat Methods • The steps below should be followed immediately in
the event a virus/cyber threat is suspected.
Immediately stop all processing on the infected PC
Notify your computer vendor and have the pc scanned for viruses/ and or spyware
Unplug the network/internet cable
Do Not back up a system with a detected/suspected virus until the threat has been eliminated.
The Attackers have now changed their
focus to you. Why you? Lack of Security – no firewall, no network monitoring devices.
Lack of employee controls
How do they get to us? What are their Attack Channels?
o Phishing sites – a spoofed e-mail directs the victim to check or correct their internet banking logon credentials and contains a link to a phished (fake) website.
o E-mail attachments and websites – victim receives spam e-mail or searches for a web site that then entices the user to open an attachment that actually downloads a virus, spyware or a key logging application that captures any key strokes made on the pc.
o Physical access to your pc to install a keylogging device.
Current Statistics
• 120,000,000 new malicious programs – 1st half of 2010
• Phishing – at the end of June 2009 ~ 50,000 sites
• It’s all about the money – Banking Trojans – over 200,000 variants – 61% of Trojans are Banking Trojans
• 120 million in losses due to fraudulent EFT’s in the 3rd quarter of 2009
Threats • Stolen login credentials • Answers to challenge questions
compromised
• Pop-ups claim your PC is infected • Usually have Trojan Programs
embedded
Threats Fraudster logs in with valid ID and
Password/PIN retrieved through
PC compromise - Keylogging software uploaded
Poor User Administration of Credentials
Use of Shared Login credentials among multiple users
No current anti-virus on pc
Internet usage by employees
E-Banking Bandits Stole $465,000
From California Escrow Firm
Bank/Customer Partnership
• Create a Partnership with your bank to safeguard your accounts against Fraud.
• Fraudsters are constantly looking for new ways to defraud consumers.
• Implementing a layered security approach is the best way to prevent fraud.
Physical controls for pc access
Anti –Virus
Strong Password requirements
Multi Factor Authentication
Dual control for processes
Employee Control over internet and e-mail access
Password Settings • Password expiration is 180 days
• Do Not reuse passwords – fraudsters sometimes wait to use the information they received at a later date.
• Minimum password length- 8 characters that must contain
– Upper and lower case alpha characters
– At least one number
– At least one special character
• Users have a better chance of avoiding fraud if their credentials change periodically.
Multi Factor Authentication
• User ID & Password – required minimum
• Security Questions – transactions over $1,000 automatic prompt
• Water mark chosen by customer
• Call back for failed authentication
• Tokens – change # every 1 minute
• Volume, value and frequency controls
• Fax or e-mail confirmation
Customer Best Practices Create dual control processes for file transfer origination
Never share or write down your online financial banking password.
Restrict internet usage on internet banking pc
Install & Update anti-virus/malware software
Train employees on e-mail usage, internet usage and phishing scams.
Avoid sending sensitive information in unencrypted emails.
Always sign out of your internet financial banking session when stepping away from your computer.
Review account activity daily
Notify the financial institution if you suspect a breach of your account.
Safe Internet Banking
• As use of the internet continues to expand, more banks are using the Web to offer products and services to customers.
• The internet offers the potential for safe, convenient new ways to conduct banking business, any day, any time. However safe banking online involves making good choices – decisions that will help you avoid costly surprises or even scams.
Protect yourself from Fraudulent
Web Sites • Watch out for copycat Web sites that
deliberately use a name or Web address very similar to, but not the same as, that of a real financial institution.
• The intent is to lure you into clicking onto their Web site and giving your personal information, such as your account number and password.
• Always check to see that you have typed the correct Web site address for your bank before conducting a transaction.
Identity Theft Resources • If you have been scammed by a phishing email you should:
Contact the Fraud Department of one of the three consumer reporting agencies, Equifax, Experian, or Transunion and place a fraud alert on all accounts.
Contact the company or Financial Institution where your tampered accounts are held.
File a report with the local police. Get a copy of the report.
File a complaint with the Federal Trade Commission (FTC).
These steps plus more information about Identity Theft
Can be found on the Federal Trade Commissions Identity
Theft website at http://www.ftc.gov/bcp/edu/microsites/idtheft/
Identity Theft Resources
• The FDIC has several online videos about protecting yourself from identity theft. These online videos are free.
• Visit the FDIC’s consumer resources webpage at http://www.fdic.gov/quicklinks/consumers.html