fraud protections, cyber-theft and controls
Post on 30-Dec-2015
44 Views
Preview:
DESCRIPTION
TRANSCRIPT
Fraud Protections, Cyber-Theft and Controls
By: David T. Schwindt, CPA RS PRA
2
David T. Schwindt David T. Schwindt, CPA, a native Oregonian, has over twenty five years experience
in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindt’s tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals.
Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist – RS, licensed by Community Associations Institute and a Professional Reserve Analyst – PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council.
Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.
Cyber-theft
Are we at risk?
YES!!
3
Who Should be concerned?• Board Members• Management Companies• Affiliates
– CPAs– Bookkeepers– Insurance Agents– Bankers– Attorney
• Treasurers who have control over reserve funds
4
5
Understanding the Adversary• Known fraud rings are mostly Eastern European (Ukrainian, Russian,
Romanian, Estonian) as well as Asian• Complete service-based economy with specialists in
– ATMs– ACH and wire payment systems– Check processing– Credit card processing
• Online libraries, education, marketplace and recruitment– Malware kits sell for as little as $5,000– Some kits even come with tech support
• Attacks involve social engineering and technical aspects
6
The Goal of Criminals
• Steal cash• Steal information that can be converted
to cash
7
Dissecting a Zeus Attack
Account Take Over
Dissecting an Attack
1. Target Victims
2. Install Malware
3. Online Banking
4. Collect & Transmit
Data
5. Initiate Funds
Transfer
Criminals target victims by way of phishing or social engineering techniques
The victims unknowingly install malwareon their computers, often including key loggingand screen shot capabilities
The victims visit their online banking website and log on per the standard process
The malware collects and transmits data back to the criminals through a back door connection
The criminals leverage the victim’s online banking credentials toinitiate a funds transfer from the victim’s account.
8
Phishing• Criminals “phish” for victims using emails, pop-up’s and social
engineering• Unsolicited phishing emails may
– Ask for personal or account information– Direct the employee to click on a malicious link– Contain attachments that are infected with malware– Contain publicly available information to look legitimate
• Phishing emails can be very convincing– From UPS: “There is a problem with your shipment.”– From your bank: “There is a problem with your bank account.”– From the Better Business Bureau: “A complaint has been filed against you.”– From a Court: “You’ve been served a subpoena/selected for jury duty.”– From NACHA or the Federal Reserve: “Your ACH or wire transaction has been
rejected.”– From a job applicant: “My resume is attached.”
9
Sample Phishing EmailNACHA Phishing Alert (01/19/2010) – Email Claiming to be from NACHA
= = = = = Sample Email = = = = =
Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Please Find Attached Transaction Report
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Paul Arnold
Electronic Payments Association Manager
= = = = = = = = = = = = = = = = = = = =
10
Malicious Software (Malware)• Downloaded to PC after employee opens infected
attachments in an email or visits a nefarious website• Newer malware can be acquired simply by viewing
HTML emails• Allows criminals to “see” and track employee’s
activities internally and on the Internet, including visits to online banking sites
• Criminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate
If you are hacked and your money is gone, who will reimburse you?
• Bank?• Management Company?• Insurance Company?
– Fidelity Insurance?– Computer Fraud Insurance?
11
Safeguards• Passwords
– Complex– Change passwords regularly– Do not share– Do not store on computer
• Stand Alone Computer– No web browsing– No emails– Password
12
• Dual Authorizations , online transactions should be coordinated with the Bank
• Financial/IT Audits– Implement recommendations– Yearly– Audits vs Reviews
• Education– Board Members– Management Company Personnel
13
• Written Protocols– Controls– Ongoing Education– In the event of an attack
• Contingency Plans• Daily reviews of all online transactions
– Banks require immediate notification
• Firewalls, Anti-virus, IT Security Software, and Protocols
14
Who is ultimately responsible for ensuring that strong controls are
in place to prevent cyber-theft?A.Association management
companyB.Independent AuditorC.Insurance AgentD.Board of DirectorsE.Banker
15
Answer: D. Board of Directors
How does the Board of Directors fulfill this
responsibility?• Engaging professionals
– CPA– Management Company– Insurance Agent– Banker– IT Consultant
• Documenting protocols
16
17
Summary• Conduct periodic risk assessments• Educate Board, management company, and committee
members as to the threat, defenses and risks• Use a stand-alone PC for online banking; prohibit email, web
surfing, etc.• Use dual control, dual authorization, activity limits, and receive
alerts• Review accounts and transactions regularly• Recognize the signs of malware on the PC• Suspect malware? Stop, unplug the PC and contact your FI
immediately.• Comply with the PCI Data Security Standards• Computer fraud and Fidelity Insurance
18
A Classic Risk Management Quote
“When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident…or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”
-Edward J. Smith, 1907
(Captain, RMS Titanic, 1912)
Cyber Theft
Presented by Kris Gjylameti
Cyber Crime – Growing Trend
• Cyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study.
• Cyber-crime in 2009336,655 complaints received$560M lost (not including unreported incidents)
• Cyber-crime in 2008275,284 complaints received$265M lost (not including unreported incidents)
Sample Corporate Account Takeovers and Losses
• Pennsylvania School District - $450,000• New York School District - $500,000• Experi-Metal - $550,000• PATCO - $358,000• Hillary Machinery - $229,000• Illinois Town - $70,000• Marian College - $189,000• Sand Springs School - $80,000• Sycamore County Schools - $300,000• Village View Escrow - $465,000• Catholic Diocese of Des Moines - $600,000• Town of Pittsford, NY - $139,000• Steuben Arcs - $158,000• St. Isidore’s Catholic Church - $87,000• Two Trucking Companies - $115,000• MECA - $217,000
FDIC - Trivia
Do you think that the FDIC will insure your money from a cyber theft event?
• YES
• NO
Primary Targets – Companies
• Cyber criminals are no longer attacking banks, they are targeting business
• Primary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are
the perfect target – Associations with large deposit amounts!!!
Is this you?
Accept that these threats are real and it could happen to you!
• The key is awareness and action on that awareness
• If you notice behavior by your system, staff, affiliates or other personnel that just doesn’t seem right, question it
Awareness
• Do not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you
• Security information WILL NEVER be solicited by email
• Only browse on internet for business related needs
Prevention Methods
• Does your bank give board members online banking transaction capabilities?
• Do they ask if the board has proper internal controls?
• Dual Controls in online banking
• Multiple user approval features and approval levels
Questions to ask your Banker
• User level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see.
• Email notifications – Have your balances changed?
Questions to ask your Banker
• Out of Band verification for ACH and Wire transactions when funds are leaving your account.
• Does your bank provide a layered security?
Questions to ask your Banker
Control: Out-of-Band Authentication
Enhanced Multi-Factor Authentication1. User logs in with their Username andPassword
• Something you know
• 2. User is prompted to select channel for• delivery of One Time Password (OTP)
• • Something you have *
Control: Out-of-Band Authentication
Because of multi-factor authentication, fraudster can not independently loginto a user account.• Fraudster would need to know username/password AND have the users phone. *
• Require secondary approval of transactionsor key changes with OTP
Control: Transaction Verification
• Immediate fraud identification, reporting and escalation is required.
• Commercial Clients have a duty to secure their information.
• Losses due to commercial client negligence can possibly result in a loss to the client.
Consumer v.s. Commercial Banking fraud
• Bank should call to verify whether a transaction is authentic:
• The call should go to someone other than the person who initiated the transaction
• Call should be confirmed by a “PIN”
Control: Callbacks
• Reporting periods for are based on the method of fraud and other circumstances. Check with your bank and ask for their specific reporting criteria.
• Millions can be lost in minutes so don’t delay! Contact your bank and make them aware of the cyber theft.
• Immediate reporting is critical to the success of recovering and mitigating losses when fraud occurs due to the timeframes set by the Federal Reserve, UCC or NACHA
Consumer v.s. Commercial Banking fraud
• Reg E – Provides Consumer Protection.
• Consumers enjoy much more protection from cyber theft or banking fraud.
• There is less of a burden for consumers and more on Commercial Businesses
Consumer Protection
• Monitor your account and audit your NACHA files for fraudulent activity.
• Collectively participate in your own - Information Security
• There is varying case laws with commercial client breaches – each situation is unique
Commercial Clients
MOST IMPORTANTLY, if you think you have clicked, open or downloaded a virus or software program, notify your supervisor
and/or IT staff immediately
The longer you wait, the more damage can occur!!!
Prevention Methods continued
• FDIC - website (www.fdic.gov) offers a wealth of information on this and related topics
• FDIC - has produced an excellent video “Don’t be an Online Victim” which can be found on YouTube
Additional Resources
“The world isn’t run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of
data. “Sneakers (1992)
Kris Gjylameti
top related