bai learning & development: ebanking incident response
TRANSCRIPT
BAI Learning & Development:
eBanking Incident Response
Tom Garcia
President/CEO,
InfoSight, Inc.
Tom Garcia: InfoSight President, CEO
• Technology & Financial Data Processing experience: 21+
years
• A frequent speaker on Regulatory Compliance, Security,
and Technology at organizations such as: FFIEC / FDIC,
NCUA, Fiserv and many State Banker’s Association Events.
• Founded InfoSight because of experience with proprietary
banking applications, networking, and data security
technologies
• One of the first to bring Managed Security Services to the
community banking industry
• Positioned InfoSight as a “Trusted Advisor” because of in-
depth knowledge of Compliance & Risk Management (since
1998)
What we’ll cover today …
1. Online banking fraud
2. How does it impact you & your
customer?
3. Real life examples
4. Best practices for reducing the risk
5. Steps to take when a client is
victimized
Corporate
Account
Takeover
Online banking fraud has become common
ACH Fraud Wire Fraud
1. The criminal obtains the
customer's account access
data, i.e. login name and
password
• Phishing
• Social engineering
• Malware
Online banking fraud
2. The criminal uses this information to transfer money to other accounts and withdraws the funds
Most online banking fraud schemes involve two steps:
• A new and very successful variation of
the ZITMO, or Zeus-In-The-Mobile
trojans which could potentially affect
banks worldwide
• Infects both the computers and mobile
devices of online banking customers
• Two-factor authentication is
circumvented in the attack and used
by attackers to authenticate their illicit
transfers
• Infects both corporate and private
banking users
New multi-dimensional attack on eBanking customers
36+ million Euros stolen from more than 30,000 bank customers
New multi-dimensional attack on eBanking customers
4
1
3
5
2
Customer
Customer’s mobile device
1. ZEUS – June 2007
2. Stuxnet - 2010
3. Duqu
4. Flame
5. Citadel – January 2012
6. Reveton ransom malware merged
with Citadel – February 2012
7. Gauss – August 2012
8. Gozi Prinimalka - Oct 2012
9. DDoS
A long history of threats to financial institutions
• Advancements in fraud technology have automated the process
• Scripts are designed to work with specific online banking websites & automate the entire fraud process
• They can bypass and/or intercept multi-factor authorization systems
• Automatic transfer system (ATS) developed for specific malware platforms such as Zeus/ SpyEye can read account balances automatically and transfer predefined sums to money mules
Pre-made or customized attack tools now on sale!
The underground market for financial fraud malware continues to innovate and offer solutions to criminals.
Fraud is getting easier & more affordable than ever before BlackHole Exploit Kit
$50/day or $1500/year
Criminal partnerships in which one group of fraudsters would launch
an attack using one vector, while another uses a different vector to
commit fraud (i.e. last year’s Zeus & Ransomware attacks).
2. Botnets and advanced persistent threat tactics to
penetrate bank networks and find holes in the
fraud defenses;
1. Mobile malware, which already is taking a toll on
European accounts;
Top account takeover threats for 2013
DDoS “creating the diversion?”
TARGET
Having the right Balance is Key!
Usability Cost
Security
Your customers need to understand that security
is as much their responsibility as it is yours.
SECURITY USABILITY COST
What impact does fraud have?
Are using mobile
banking, up from
23% in 2010
SMBs conduct half of
their banking online
Businesses believe their bank
is ultimately responsible for
ensuring the security of their
online accounts
Feel that only one successful
fraud involving their online
account would destroy their
confidence in their bank*
Experienced OLB
fraud at some time
in the past
Said their business
accounts were
targeted in 2012
Leave their institution
for another after one
incident!!
A picture is worth a thousand words…
How does fraud impact you?
“Perception is Reality”
If a customer falls victim they become afraid and begin to lack trust in
your security.
Source: 2012 Business Banking Trust Study, Ponemon Institute
• Perceptions have consequences… • Obstacles are created in driving customers to self-service channels
• Financial loss (FIs are able to fully recover funds only 12% of the time)
• Loss of Customers and associated revenue
• Business disruption & loss of productivity
• Legal litigation fees
• Companies with a stronger security posture experience a lower overall cost
• Includes security awareness training activities
• Reality
• Its more profitable to retain our existing customer base
Real life examples
2009 PATCO vs. Ocean Bank $588,000
2010 Village View Escrow $465,000
2009 Experi-Metal vs. Comerica $560,000
2010 Choice Escrow & Land vs. BancorpSouth $440,000
2012 Ascent Builders vs. Bank of the West $900,000
Lacking sophistication & appropriate security, SMBs make great targets
DDoS
2010 No Garland Regional Water District $440,000
2010 Hillary Machinery vs. PlainsCapital Bank $801,000
2010 Catholic Diocese vs. Bankers Trust $600,000
What types of incidents are occurring that we don't hear
about?
1. Having a lot of technology is not enough.
2. The courts are shifting expectations of
banks.
3. “One-size-fits-all” security solutions don’t
work.
4. Monitor. Monitor. Monitor.
5. Total losses are much higher than the
fraudulent transfer.
Lessons learned from recent court cases
76% of financial institution find out about fraud from their customers.
How does fraud impact you?
Moral of the story?
1. Inform your business
customers of your policies
& their responsibilities
2. Provide security
awareness education for
their employees
3. Prepare in advance how
you might remediate the
relationship when an
incident occurs
Best practices for reducing the risk
Security today is a shared responsibility, but the reality is that they are
dependent upon you, their banking institution, and they (quite
reasonably) expect you to be an expert.
What’s a financial institution to do, or not to do?
Sure glad the hole isn’t at
our end!
There is a big risk in accepting too much responsibility, so
being prepared is key!
Best practices for reducing the risk
PROTECT
DETECT
RESPOND
Corporate account takeover
1. Include Corporate Account Takeover in risk assessment (pre-and-
post implementation) ACH & wire fraud
2. Identify higher risk customers
3. Communicate basic security practices to business account holders
4. Review customer agreements with business account holders
(enrollment forms & processes)
5. Enhance Bank Controls to mitigate risks
6. Inform the Board of Directors
7. Contact Vendors to validate their controls
Protect
8. Educate customers & provide tools
• Develop an “effective” Customer Security Awareness Program
• Create a program for both retail and commercial account
holders
• Encourage business customers to perform a periodic controls
evaluation
• Provide the sources to find alternative control mechanisms
• Suggest high-risk business customers consider cyber-crime
insurance and or a dedicated PC for eBanking activities
• Create a “buzz” by making education a continuum
• Link to dynamic content (www.MySecurityAwareness.com)
• Automate the process where possible
Protect
9. Establish both automated and manual monitoring
systems
• Anomaly Detection is a requirement is now a requirement
• Enhanced admin controls is also a requirement
10.Educate account holders of warning signs & red flags
• Applies to account types
• Have an effective Customer Security Awareness Program
(CSAP)
11.Educate bank employees of warning signs & red flags
• Try to “kill two birds with one stone” with your CSAP
• Branch employees need to know what to say when customers
ask
Detect
12. Update Incident Response Plans to include corporate account
takeover
13. Immediately verify suspicious transactions (anomaly detection &
verification process)
14. Immediately reverse fraudulent transactions
15. Send fraudulent file alert through the FRB’s FedLine system
16. Immediately notify receiving banks of fraudulent transactions
17. Suspend use of compromised accounts
18. Contact law enforcement and regulating agencies
19. Document recovery efforts
Respond
1. The direct contact numbers of key bank employees (including
after hour numbers);
2. Steps the account holder should consider to limit further
unauthorized transactions, such as: • Changing passwords;
• Disconnecting computers used for Internet banking; and
• Requesting a temporary hold on all other transactions until out-of-band
confirmations can be made;
3. Information the account holder will provide to assist the bank in
recovering their money;
4. Contacting their insurance carrier (if applicable); and
5. Working with computer forensic specialists and law enforcement
to review appropriate equipment.
A general incident response template would include
Steps to take when a customer is victimized
1. Turn off module (i.e. ACH or Wire) on all levels (the
client and for all “employees” of client).
2. Turn off inquiry ability on client and all employees of
client to restrict account viewing.
3. Obtain client User ID and inquire on admin console.
4. Change client and employee passwords.
5. Place all client accounts on “non-post” to restrict
transactions from being posted to account.
6. If a wire or ACH transaction was performed
immediately put a stop payment on transaction and
contact receiving bank and inform them that it was a
fraudulent wire and request funds to be returned.
7. The above processes are to be reviewed by a
second individual to ensure all is completed. The
following day, pull the file maintenance reports to
document the changes.
Contain the incident
Incident Response Planning
8. Flag customer account or place a comment on
customer account for fraud
9. Pull Client history & transaction reports.
10. Pull local image reports for transactions if ACH or
Wire logs if wire.
11. Pull Report “Transactions by Employee” and print
history of client/employees in question. This report
will pinpoint the time the transactions in question
were executed.
12. Contact Service Provider (outsourced environments
only) and request that all logs are preserved from
its Information Security area for IP address
identification and intrusion information. You may
need to provide core provider with copies of the
local log reports to pinpoint time of logon, etc.
Investigate, mitigate & preserve evidence
Incident Response Planning
13. Identify Transactions in question and begin to contact
institutions and notify them of fraudulent transactions.
Some banks will require a letter of Indemnification for ACH
or Service Message for Wires. Set up tracking
spreadsheet to monitor progress of reimbursement of
funds.
14. Ensure all internal policies and procedures were followed
(i.e. transaction thresholds, transaction volumes, call back
procedures, etc.)
15. Work with client to determine cause of fraudulent
transaction. Try to determine if they recognized anything
different, responded to or clicked on any suspicious emails.
16. Work with client to understand client’s system
configurations, (i.e. network, virus and malware protection,
etc.)
Investigate, mitigate & preserve evidence
Incident Response Planning
Report & document 17. Follow Bank’s incident response process and
communicate to all internal bank management and
personnel
18. Begin to document all conversations with client, host
provider(s) (core and online banking)
19. Pull and hold Client internal file and all agreements
20. Gather Sr. Management Team to discuss strategy
Incident Response Planning
21. Have the client contact the FBI, US Secret Service and the local police
22. Contact the bank’s Risk Management department to determine if the Insurance
Company (Cyber & Blanket Bond) needs to be contacted.
23. Gather information and File SAR.
24. If required by policy or regulation contact regulatory agency (FDIC, State, etc.)
Remediate
1. Work with client to ensure the following:
• All virus and malware protection has
been updated.
• All risks have been identified and a
plan has been put in place to mitigate
• Restore systems to operation
2. Review internal policies and procedures
3. Re-enable client access
Incident Response Planning
1. Have an internal meeting with all key personnel to identify cause of
incident and document lessons learned
Executive decisions & resolution
1. Update any policies or procedures that need to be updated
2. Ensure appropriate employees are trained on any new processes
3. Have a meeting/call with client to educate them on how the incident
occurred and provide them pointers in how to secure their environment
Incident Response Planning
1. Document decisions made by management
2. Change any process that needs to be
modified to improve transaction security
• Limit dollar and/or transaction amounts
• Limit the number of transactions
• Implement call back procedures, etc.
What we covered today …
1. Online banking fraud
2. How does it impact you & your
customer?
3. Real life examples
4. Best practices for reducing the risk
5. Steps to take when a client is
victimized
• MFA & eBanking Security Reviews & Risk Assessments
• Pre-implementation
• Enrollment
• Technology
• Operational Controls
• Customer Awareness Program
• eBanking Risk Assessment Gap Analysis
• Penetration Testing & Vulnerability Assessments
• Forensic Analysis
• Virtual ISO Mentoring Programs
• Turnkey Customer Awareness Program
• CSAP Portal
How does InfoSight help financial institutions?
• Client Cyber-Fraud Incident Response Framework
• eBanking “Reasonably” Secure checklist
Resources from InfoSight
Email: [email protected]
• Win an iPad Mini! Click here to enter.
• BAI Customers, log into L&D Connect for:
• Recording of today’s webinar
• Written Q&A responses and discussion
• Presentation deck
• Share Your Feedback
• Attendee feedback survey
• For More Information
• Contact 800.264.7600 or [email protected]
• Visit www.learnbai.org
BAI Learning & Development
Thank you!