svb online seminar: how you can protect your … attacks ... •enables phishing site detection and...
TRANSCRIPT
SVB ONLINE SEMINAR:
How You Can Protect Your Company
From Business Account Fraud
June 22, 2011
2
Panelists
• Tim Toller, Director, Channel Management, Silicon Valley Bank
• Jason Kobus, Senior Online Channel Manager, Silicon Valley Bank
3
Agenda
Fraudsters Abound . . .
• Crime pays: It’s big business
• What’s going on out there
• Recognizing the patterns of fraud
• Why small businesses are targets and why larger businesses should care
What You Can Do to Protect Your Business
• Admit it: There’s a problem
• Protect your infrastructure
• Control yourself (and others)
• Leverage the solutions and services your bank offers
4
Fraudsters Abound . . .
Crime Pays: It’s Big Business
• Recent Javelin study estimates small business fraud totaled $8 billion
• “Fraud as a Service”
What’s Going On Out There
• Incidents are on the rise in number and audacity
• Thousands of strains of malware are being disbursed and anti-virus (AV) firms
can’t keep up
• 48% of internet connected machines are infected, with 8% of computers
infected with a banker trojan or password stealer
• Shark-phishing/whaling schemes are directed to C-level executives
• Money mules are signing up to help
• Fraudsters using social networking sites to launch malware and in social
engineering attacks
• URL shorteners used to obfuscate phishing sites
5
Fraudsters Abound . . .
Recognizing the Patterns of Fraud
• Spear phishing and whaling schemes directed to business executives
pretending to be opportunities or government sources (e.g., IRS, court)
• Malware downloaded via e-mail or hot-linked websiteo Key-logging monitor/ Recording and reporting bank credentials
o Malware attacks account for 37% of breaches YTD (up from 17% for 2010)
o Fraudsters use Man-in-the-Browser attacks which may terminate your session
unexpectedly and allow the fraudsters to hijack it
• Business accounts accessed and outbound electronic payments (<$10K)
generated to domestic accountso ACH
o Wires
• “Mules” hired to open accounts and forward funds
• Money is being moved to multiple international destinations
6
Fraudsters Abound . . .
Why Small Businesses are Targets . . . • They have online funds transfer capability
• They frequently lack the required defensive tools:o IT services and resources
o Sophisticated cash management services
o Daily monitoring of their accounts
And Why Larger Businesses Should Care . . .• The average balance, per account: $500,000
• This figure immediately makes the your account a high-value target
• Fiduciary responsibility to reduce risk through diversification of accounts
• Protect corporate assets — fraudsters read the same press we do
7
What You Can Do to Protect Your Business
8
Admit It: There’s a ProblemThe Primary Reasons Companies Experience Loss*
• Failure to enforce internal controls• Failure to reconcile or return checks on a timely basis• Internal employee fraud• Loss, theft or counterfeit payroll checks• Mismanagement of online users• Changes of vendor addresses to employee’s address (Match your AP vendor
address file to your employee file)• Failure to use fraud prevention services
There is No Silver Bullet
• Match the solution to the threat as threats will evolve and change• Regulators emphasizing risk assessment of emerging threats like Man-in-the-
Browser (MIB), MFA for high risk transactions, stronger authentication such as device identification, and awareness
At a Minimum
• Use the best security you can afford• Educate and control your employees• Monitor your account(s)• Notify your bank of fraud ASAP
* Based on industry data and AFP Payments Fraud and Control Survey
9
Protect Your Infrastructure
• Protect Your Network
• Use a router to secure broadband Internet connections• Secure your wireless network
• Protect Your Computer
• Keep your operating system and Web browser up-to-date • Use anti-virus software and keep it up to date • Beware of Wi-Fi hotspots • Do not install software without knowing what it is• Log off when you are through using a Web application requiring authentication• Do not click inside pop-up windows unless they are from a trusted Web site• Watch for people looking over your shoulder
10
Control Yourself (and Others)
Internal Controls are Essential
1. Reconcile regularly: Review accounts daily; Perform weekly or monthly account reconcilement to spot anomalies
2. Require two to tango: Separate duties so that it takes at least two people to complete a transaction — one who initiates and another who approves
3. Structure your accounts: Separate your operating accounts — and only allow access based on need or role
4. Review daily activity online
5. Physical controls over pre-printed check stock/facsimile signatures
6. Close accounts which have had fraudulent activity
7. Keep authorizations up-to-date
8. Know your employees: Verify references and check criminal background
9. Check accounting records closely for several months
10. Know your vendors
11. Protect your access credentials and use unique credentials for banking sites
11
Control Yourself (and Others)
Control Extends to Online Access and Practices
1. Use strong passwords: Include letters, numbers and characters; change frequently
2. Protect confidential information, passwords/PINs
3. Review/train online users
4. Use dual control services when possible
5. Make use of alerts: To flag large and unusual transactions and activities
6. Trust your eyes: Look for visual clues (e.g., last logon time)
7. Take advantage of available fraud prevention tools
8. Stay current and informed: Read bulletins and emails
9. Logout: Do not simply close the browser, make sure you actually use the log-out feature
10. Be aware that fraudsters can use social networking for reconnaissance to make their attacks seem more believable
12
Leverage the Solutions & Services Your Bank Offers
SVBeConnect Entitlement Controls
• User Administration: Management of account/transaction access, including
multiple levels of approvals by payment type, amount, and account
• Dual administration of user entitlements
• Intra-day reporting of transactions
• Alerts of events, balances, transactions, and administration
SVBeConnect Authentication and Security Options
• Choice of a Virtual Keypad or Text Pad to enter strong passwords
• Virtual slider (a software based token)
• Trusteer’s Rapport®
• Call-to -Verify (out-of-band, in-session authentication)
Education
• Fraud Resource Center on svb.com
13
Trusteer Rapport
Rapport Differs from Anti-Virus and Firewalls
• Locks down access to financial and private data instead of looking for malware
signatures
• Communicates with your online banking Web site to provide feedback on
security level and report unauthorized access attempts
• Enables you to take immediate action against changes in threat
• Blocks Zeus, Torpig, Silent banker and other man-in-the-browser attacks
• Blocks malware attacks including key-loggers, screen scrappers and pharming
• Enables phishing site detection and confirmation
14
SVBeConnect: Out-of-Band Authentication
16
Questions
Biographies
Tim Toller
Tim Toller is a senior channel manager in Silicon Valley Bank’s Global Products
and Services group. He focuses on developing cash management and online
banking solutions for small- and middle-market companies. He’s been developing
cash management solutions for Silicon Valley Bank’s clients for over 10 years.
Prior to SVB, Tim worked at Stanford’s Business school working with faculty to
study how early-stage technology and life science companies evolve into mature
organizations. Before Stanford, Tim served as an ethics counselor for the State
Bar of California where he assisted California attorneys interpret their code of
ethics.
Tim holds a bachelors degree in English and Medieval history from Stanford
University and his JD degree from the University of San Francisco School of Law.
18
Director, Channel Management,
Silicon Valley Bank
Jason Kobus
Jason Kobus is a senior channel manager with Silicon Valley Bank’s Product
Development and Channel Delivery team with a focus on authentication and
portal strategy for the online channel. In his prior role at SVB, Jason managed the
GLBA, privacy, and ID theft prevention programs.
Prior to joining SVB in 2007, Jason was a consultant with Deloitte’s Enterprise
Risk Services specializing in helping companies to secure and protect data in
accordance with legal and industry standards. He also worked at Merrill Lynch as
Vice President/Information Security & Privacy Officer, and was involved in a wide
range of application and infrastructure integration efforts including acquisitions, IT
disaster recovery, and enterprise and online portals.
Jason earned his bachelor’s degree in Financial and Economic Studies from the
University of Western Ontario (Canada). He holds the Project Management
Professional, Certified Internal Auditor, and several information security
certifications.
19
Senior Online Channel Manager,
Silicon Valley Bank
20
Disclosures
This material, including without limitation the statistical information herein, is provided for informational purposes only. The material is based in part upon information from third-party sources that we believe to be reliable, but which has not been independently verified by us and, as such, we do not represent that the information is accurate or complete. The information should not be viewed as tax, investment, legal or other advice nor is it to be relied on in making an investment or other decision. You should obtain relevant and specific professional advice before making any investment decision. Nothing relating to the material should be construed as a solicitation or offer, or recommendation, to acquire or dispose of any investment or to engage in any other transaction.
©2011 Silicon Valley Bank. All rights reserved. Member of FDIC and Federal Reserve System. SVB, SVB>, and SVB>Find a way are all registered trademarks of SVB Financial Group; Silicon Valley bank is a registered trademark of Silicon Valley Bank.