electronic payment trends & risks · 2018-04-01 · 2 electronic payment trends • in the...
TRANSCRIPT
CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited © 2014 CUNA Mutual Group, All Rights Reserved.
Electronic Payment Trends & RisksCoastal Supervisory Committee and
Internal Auditor Conference
Presented by: Ken OtsukaBusiness Protection Risk Management
CUNA Mutual Group
2
Electronic Payment Trends
• In the beginning, there was online banking-Members use a desktop or laptop to access their credit union accounts via
the Internet-Uses generally include:Account inquiriesE-statementsBill payAccount-to-account (A2A) transfer serviceCross-member transfers
• Then came mobile banking-Members use mobile devices to access their credit union accounts-Same uses as online banking
• Next on the horizon – mobile payments
3
Agenda
• Overview of account takeovers through online banking
• Mobile banking risks
• Mobile payments – the future
• ACH debit origination
4
Online Banking
5
Online Banking - Assault on Authentication
• Significant increase in account takeovers via online banking systems– Started in 2007– Business accounts have been primary targets
• More money to steal• Often associated with the money mule scam
– Consumer accounts hit as well• Cyber thieves use bill pay, Automated
Clearing House transfers (ACH) or wire feature to transfer funds to accounts at other institutions
• Account takeovers of member accounts at credit unions are escalating
What are money mules?• “Money mules” are people recruited to
assist in the laundering of stolen funds. Many money mules are not aware they are being used to commit fraud.
• Fraudsters typically find people (victims) to serve as money mules by searching websites where job seekers post their resume.
• The victims are contacted by the fraudsters who generally offer “work from home” opportunities as a “payment processor” or similar position. Upon being hired, the money mules receive transfers into their deposit account from the fraudsters with instructions to transfer most of the funds to an account at another financial institution. The money mules keep a portion of the funds as compensation.
6
Starts with a Phishing Attack
• Banking Trojans (malware) distributed in phishing attacks– Keylogging feature steals online banking
login credentials• Spear phishing
– Targets select group of employees at the same company
– Phishing emails sent to select employees at a company
• Whale phishing– Targets a company’s top executives
7
Banking TrojansMan-in-the-Browser (MITB) Attacks
• User’s web browser infected with banking Trojan (e.g., Zeus)• Toolkit feature allows cyber thieves to target specific online banking web
sites– 100’s of online banking websites can be programmed into MITB
• Automated scripts built into toolkit– Navigating the website– Executing transactions
• Receives updates from command and control center• Awakens when user visits a targeted online banking site• “Piggybacks” on the user’s online banking session
MITBs are completely automated
8
Man-in-the-Browser (MITB) Attacks
• Modifies actions of user in real-time– Transaction entered by user is modified by MITB– Dollar amount of transaction and destination account are changed without user’s
knowledge
• Can work independently of user– Web injection to create pop-up window– “Website under maintenance – please wait”– MITB empties account
9
MITB Overwrites User’s Transaction
Funds TransferAvailable balance: $38,975.00
From account: Jim (456789)
Transfer amount: $400.00
Destination institution: ABC Credit Union
Destination account: Tom (123456)
Funds TransferAvailable balance: $38,975.00
From account: Jim (456789)
Transfer amount: $10,000
Destination institution: XYZ Bank
Destination account: Bill (321654)
Submit Cancel Submit Cancel
Transaction as it appears in the user’s
browser
Transaction initiated by MITB
This illustration is created for educational purposes only
10
MITB Attacks and Money Mules
Cyber crook Password stealing Trojan sent as email attachment or link to infected website
User logs into online banking system.
Trojan wakes up when targeted online banking website(s) visited.
User enters transfers (ACH or wires).
MITB overwrites user’s transaction changing dollar amounts and destination accounts.
Funds are sent to the money mules or to fund prepaid cards.
Mules withdraw money and wire to cyber crooks.
For educational purposes only
OR, web inject to create pop-up window: “Website under maintenance –please wait.”Trojan empties account.
11
Authentication Options
• Something you know– Password– Answers to challenge questions
• Something you have– IP Address (pc recognition)– USB token– Smart card– Password-generating token
• Something you are– Biometrics
Man-in-the-browser (MITB) Attacks have rendered what were once considered
strong multifactor authentication methods ineffective
12
Layered Security Controls
• Real-time fraud monitoring solution with behavioral analytics*• Out-of-band authentication• Out-of-band transaction verification without transaction details• Out-of-band transaction verification with transaction details*• Monetary and frequency limits• Enhanced controls over account maintenance changes initiated by customers through
the online banking channel or through the call center• Administrative function capabilities for business online banking• Techniques to limit the use of the account – such as ACH debit blocks• Restrictions on the days and hours of access• Internet Protocol (IP) reputation-based tools to block connection to online banking
servers from IP addresses known or suspected to be associated with fraudulent activities
* Can defend against MITB attacks
13
Mobile Banking
14
Mobile Banking Risks / Risk Mitigation
Short Message Service (SMS)
Risks:• No guarantee the message sent will
be received• Messages sent in clear text format –
no end-to-end protection (messages not encrypted)
Risk Mitigation:• Should not be used for transfers to 3rd
parties• Text messages should not contain
account numbers or other sensitive information
Wireless Access Protocol (WAP) / Browser-based web enabled device
Risks:• Risks are similar to online banking- Session hijacking (man-in-the-
browser)• Lost/stolen devices• Login credentials stored on device
Risk Mitigation:• Multifactor authentication• Layered security controls
Smartphone / Tablet
Risks:• Members may inadvertently
download apps containing malware• Lost/stolen devices• Login credentials stored on device
Risk Mitigation:• Download only “signed” applications
from a trusted source (e.g., credit union’s website)
• Multifactor authentication• Layered security controls
15
Mobile Malware: Man-in-the-Mobile (MITMO)
• Mobile malware– Example: Zitmo (Zeus-in-the-Mobile)
• Defeats out-of-band authentication / transaction verification utilizing transaction authorization number (TAN)
• Steals TANs sent by financial institutions to users via SMS text messages as part of the institution’s out-of-band process for logging into accounts through online banking / verifying transactions initiated by users
• Starts with infecting personal computer with banking Trojan (e.g., Zeus)
• User logs into account using personal computer– MITMO wakes up because it’s a targeted online
banking website• MITMO injects Hypertext Markup Language
(HTML) code– Popup box appears in user’s browser– Requests mobile vendor, model and phone number– Device information returned to fraudster
• Fraudster sends SMS text message to user– User instructed to download an update for the
device – link is provided– Malicious application installed on the device
• User initiates large dollar transaction• Institution sends TAN via SMS text message to
user to authenticate transaction• MITMO forwards the message to the fraudster
What is MITMO? How does it work?
16
Zeus-in-the-Mobile (Zitmo)Cyber crook
Sends phishing email with attachment
containing Zitmo / link to infected
website.User’s computer
infected with Zitmo.
Zitmo injects
HTML codeZitmo wakes up when
targeted online banking website is visited
Popup Window:Please provide information on your mobile device.Mobile device make :Mobile number :
User enters large $ transfers – ACH or wires.
Command & Control
Center
User’s mobile phone infected
with Zitmo
Online banking website
User’s mobile phone information returned to cyber
crook
1 2
3
Cyber crook sends SMS to user to click on link to complete security upgrade on their mobile phone
4Transaction
Authorization Number (TAN) sent via SMS
5
7
Zitmo forwards TAN to cyber crook
8
6
Cyber crook is now in a position to hijack the user’s online banking sessions to
steal funds
9
17
Mobile Payments
18
Mobile Payments versus Mobile Banking
• Mobile payments are payments made to others initiated with a mobile device
• Mobile banking involves financial institution accountholders accessing their accounts held at the institution allowing them to check balances and to initiate transfers from their accounts to other parties
19
Regulatory & Security Issues
Regulatory Issues• Mobile payments offered by
non-financial institutions creates uncertainty on whether existing consumer protection laws apply- Funding source linked to prepaid
account held by MPSPs• CFPB issued proposed amendment
to Regulation E in November 2014 extended protections to mobile payments linked to a prepaid account held at MPSPs
- Funding source linked to user’s wireless bill by MNOs
Security Issues• The security and confidentiality
for the transmission, storage of payment instructions and the personal financial information of users
20
Mobile Payments and Consumer Protection Laws
Business Model
Funding Source / Transaction Flow Regulatory Considerations
Financial Institution
• Funding source is a checking account or credit card account held at the financial institution
• Transactions flow through traditional payment networks/channels.
• Existing consumer protection laws apply- Reg E when funding source is checking account- Reg Z when funding source is a credit card or
other line of credit
Mobile Payment Service Provider (MPSP)
• Funding source could be a prepaid account held at MPSP- Transactions flow through MPSP’s proprietary
network
• Existing consumer protection laws (Reg E) do not apply to prepaid accounts
• CFPB issued proposed amendment to Reg E that would extend consumer protections to mobile payments linked to a prepaid account held by MPSPs
• Funding source could be a checking account or credit card account held at financial institution- Transactions flow through traditional payment
networks/channels
• If the funding source for the transaction is a checking account or credit card, existing consumer protection laws apply- Reg E when funding source is checking account- Reg Z when funding source is a credit card or
other line of credit
Mobile NetworkProvider (MNO)
• Funding source is user’s billing account with MNO• Transactions flow through the MNO’s mobile
network and the user’s wireless bill is charged for the amount of the transactions.
• Existing consumer protection laws (Reg E and Reg Z) do not apply when the mobile payment transactions are charged to the user’s wireless billing account
21
What are the Risks?
Risk Risk Mitigation Comments
Lost/stolen devices • Member education• Deploy remote wipe capability (may
require separate application)• Password protect device• Use mobile payment application’s
password feature
• Apple Pay Touch ID (fingerprint) secures the device – reducing the risk of fraud from lost/stolen device.
• Expect to see more providers using biometrics for securing mobile devices/mobile payments software/applications
Malware/viruses • Mobile antivirus/antimalware protection
• May not be available for all device types
Malicious applications
• Member education• Download applications from trusted
source
• Applications may be infected with malware
Jailbreaking the device
• Member education • Jailbreaking may disable important security features on the device
Fraud monitoring tools
• Fraud monitoring solution (real-time) to detect/prevent fraudulent transactions
22
Apple Pay Solves Security Issues?
• Apple Pay provides desired security– Uses NFC technology– Activated via Touch ID– Account numbers are not stored on the device
• Unique Device Account Number is assigned, encrypted and stored in the secure element of iPhone
– Each transaction is authorized with a one-time unique number using the Device Account Number and a dynamic security code is created to validate the transaction
Tokenization removes the 16-digit card number from the equation.
23
ACH Debit OriginationCredit Risk
24
ACH Debit RiskAccount-to-Account (A2A) Transfer Service
• Dishonest member uses A2A feature to initiate ACH debits against accounts at other institutions to “pull” funds into his/her credit union account for deposit (ACH deposit)
• Credit union is considered the Originating Depository Financial Institution (ODFI)– As ODFI credit unions warrant that the ACH
debits are properly authorized
• Other institutions have up to 60 days to return the ACH debits to the credit union if accountholders claim they are unauthorized
• Credit risk created by ACH debits is uninsurable
A2A is a payment type frequently offered with online/mobile banking
25
ACH Debit RiskAccount-to-Account (A2A) Transfer Service
• Understand credit risk associated with ACH debits originated by the credit union
• Conduct due diligence on members to qualify them for A2A
• Establish monetary and frequency limits
• Trial deposits– Not fool proof
Mitigating the credit risk associated with ACH debits
26
ACH Debit RiskCredit Card Booster Payments via ACH
• Members make fraudulent payments on credit union-issued credit cards via ACH– Funds are pulled from accounts at other institutions– Payments often exceed the balance
• Credit unions are considered the originating depository financial institution (ODFI)
• Credit risk associated with ACH debits is uninsurable
Booster payments via ACH on a single card could easily result in a six-figure loss
27
Summary
• The use of electronic transactions via online banking/mobile banking is growing by leaps and bounds
• Account takeovers can damage your reputation
• Understand the risks associated with mobile payments
• Understand the credit risk associated with originating ACH debits
28
Questions & Answers
Ken Otsuka, CPASenior Consultant - Risk ManagementCUNA Mutual GroupEmail: [email protected]
29
Disclaimer
This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond.
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMISInsurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability maybe underwritten by Beazley Insurance Group.
This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.
CUPRM-894560.1-0414-0516 ©CUNA Mutual Group 2014, All Rights Reserved.
30