Transcript
Page 1: Fraud Protections, Cyber-Theft and Controls

Fraud Protections, Cyber-Theft and Controls

By: David T. Schwindt, CPA RS PRA

Page 2: Fraud Protections, Cyber-Theft and Controls

2

David T. Schwindt David T. Schwindt, CPA, a native Oregonian, has over twenty five years experience

in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindt’s tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals.

Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist – RS, licensed by Community Associations Institute and a Professional Reserve Analyst – PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council.

Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.

Page 3: Fraud Protections, Cyber-Theft and Controls

Cyber-theft

Are we at risk?

YES!!

3

Page 4: Fraud Protections, Cyber-Theft and Controls

Who Should be concerned?• Board Members• Management Companies• Affiliates

– CPAs– Bookkeepers– Insurance Agents– Bankers– Attorney

• Treasurers who have control over reserve funds

4

Page 5: Fraud Protections, Cyber-Theft and Controls

5

Understanding the Adversary• Known fraud rings are mostly Eastern European (Ukrainian, Russian,

Romanian, Estonian) as well as Asian• Complete service-based economy with specialists in

– ATMs– ACH and wire payment systems– Check processing– Credit card processing

• Online libraries, education, marketplace and recruitment– Malware kits sell for as little as $5,000– Some kits even come with tech support

• Attacks involve social engineering and technical aspects

Page 6: Fraud Protections, Cyber-Theft and Controls

6

The Goal of Criminals

• Steal cash• Steal information that can be converted

to cash

Page 7: Fraud Protections, Cyber-Theft and Controls

7

Dissecting a Zeus Attack

Account Take Over

Dissecting an Attack

1. Target Victims

2. Install Malware

3. Online Banking

4. Collect & Transmit

Data

5. Initiate Funds

Transfer

Criminals target victims by way of phishing or social engineering techniques

The victims unknowingly install malwareon their computers, often including key loggingand screen shot capabilities

The victims visit their online banking website and log on per the standard process

The malware collects and transmits data back to the criminals through a back door connection

The criminals leverage the victim’s online banking credentials toinitiate a funds transfer from the victim’s account.

Page 8: Fraud Protections, Cyber-Theft and Controls

8

Phishing• Criminals “phish” for victims using emails, pop-up’s and social

engineering• Unsolicited phishing emails may

– Ask for personal or account information– Direct the employee to click on a malicious link– Contain attachments that are infected with malware– Contain publicly available information to look legitimate

• Phishing emails can be very convincing– From UPS: “There is a problem with your shipment.”– From your bank: “There is a problem with your bank account.”– From the Better Business Bureau: “A complaint has been filed against you.”– From a Court: “You’ve been served a subpoena/selected for jury duty.”– From NACHA or the Federal Reserve: “Your ACH or wire transaction has been

rejected.”– From a job applicant: “My resume is attached.”

Page 9: Fraud Protections, Cyber-Theft and Controls

9

Sample Phishing EmailNACHA Phishing Alert (01/19/2010) – Email Claiming to be from NACHA

= = = = = Sample Email = = = = =

Dear bank account holder,

The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.

Please Find Attached Transaction Report

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Paul Arnold

Electronic Payments Association Manager

= = = = = = = = = = = = = = = = = = = =

Page 10: Fraud Protections, Cyber-Theft and Controls

10

Malicious Software (Malware)• Downloaded to PC after employee opens infected

attachments in an email or visits a nefarious website• Newer malware can be acquired simply by viewing

HTML emails• Allows criminals to “see” and track employee’s

activities internally and on the Internet, including visits to online banking sites

• Criminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate

Page 11: Fraud Protections, Cyber-Theft and Controls

If you are hacked and your money is gone, who will reimburse you?

• Bank?• Management Company?• Insurance Company?

– Fidelity Insurance?– Computer Fraud Insurance?

11

Page 12: Fraud Protections, Cyber-Theft and Controls

Safeguards• Passwords

– Complex– Change passwords regularly– Do not share– Do not store on computer

• Stand Alone Computer– No web browsing– No emails– Password

12

Page 13: Fraud Protections, Cyber-Theft and Controls

• Dual Authorizations , online transactions should be coordinated with the Bank

• Financial/IT Audits– Implement recommendations– Yearly– Audits vs Reviews

• Education– Board Members– Management Company Personnel

13

Page 14: Fraud Protections, Cyber-Theft and Controls

• Written Protocols– Controls– Ongoing Education– In the event of an attack

• Contingency Plans• Daily reviews of all online transactions

– Banks require immediate notification

• Firewalls, Anti-virus, IT Security Software, and Protocols

14

Page 15: Fraud Protections, Cyber-Theft and Controls

Who is ultimately responsible for ensuring that strong controls are

in place to prevent cyber-theft?A.Association management

companyB.Independent AuditorC.Insurance AgentD.Board of DirectorsE.Banker

15

Answer: D. Board of Directors

Page 16: Fraud Protections, Cyber-Theft and Controls

How does the Board of Directors fulfill this

responsibility?• Engaging professionals

– CPA– Management Company– Insurance Agent– Banker– IT Consultant

• Documenting protocols

16

Page 17: Fraud Protections, Cyber-Theft and Controls

17

Summary• Conduct periodic risk assessments• Educate Board, management company, and committee

members as to the threat, defenses and risks• Use a stand-alone PC for online banking; prohibit email, web

surfing, etc.• Use dual control, dual authorization, activity limits, and receive

alerts• Review accounts and transactions regularly• Recognize the signs of malware on the PC• Suspect malware? Stop, unplug the PC and contact your FI

immediately.• Comply with the PCI Data Security Standards• Computer fraud and Fidelity Insurance

Page 18: Fraud Protections, Cyber-Theft and Controls

18

A Classic Risk Management Quote

“When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident…or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.”

-Edward J. Smith, 1907

(Captain, RMS Titanic, 1912)

Page 19: Fraud Protections, Cyber-Theft and Controls

Cyber Theft

Presented by Kris Gjylameti

Page 20: Fraud Protections, Cyber-Theft and Controls

Cyber Crime – Growing Trend

• Cyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study.

• Cyber-crime in 2009336,655 complaints received$560M lost (not including unreported incidents)

• Cyber-crime in 2008275,284 complaints received$265M lost (not including unreported incidents)

Page 21: Fraud Protections, Cyber-Theft and Controls

Sample Corporate Account Takeovers and Losses

• Pennsylvania School District - $450,000• New York School District - $500,000• Experi-Metal - $550,000• PATCO - $358,000• Hillary Machinery - $229,000• Illinois Town - $70,000• Marian College - $189,000• Sand Springs School - $80,000• Sycamore County Schools - $300,000• Village View Escrow - $465,000• Catholic Diocese of Des Moines - $600,000• Town of Pittsford, NY - $139,000• Steuben Arcs - $158,000• St. Isidore’s Catholic Church - $87,000• Two Trucking Companies - $115,000• MECA - $217,000

Page 22: Fraud Protections, Cyber-Theft and Controls

FDIC - Trivia

Do you think that the FDIC will insure your money from a cyber theft event?

• YES

• NO

Page 23: Fraud Protections, Cyber-Theft and Controls

Primary Targets – Companies

• Cyber criminals are no longer attacking banks, they are targeting business

• Primary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are

the perfect target – Associations with large deposit amounts!!!

Page 24: Fraud Protections, Cyber-Theft and Controls

Is this you?

Page 25: Fraud Protections, Cyber-Theft and Controls

Accept that these threats are real and it could happen to you!

• The key is awareness and action on that awareness

• If you notice behavior by your system, staff, affiliates or other personnel that just doesn’t seem right, question it

Awareness

Page 26: Fraud Protections, Cyber-Theft and Controls

• Do not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you

• Security information WILL NEVER be solicited by email

• Only browse on internet for business related needs

Prevention Methods

Page 27: Fraud Protections, Cyber-Theft and Controls

• Does your bank give board members online banking transaction capabilities?

• Do they ask if the board has proper internal controls?

• Dual Controls in online banking

• Multiple user approval features and approval levels

Questions to ask your Banker

Page 28: Fraud Protections, Cyber-Theft and Controls

• User level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see.

• Email notifications – Have your balances changed?

Questions to ask your Banker

Page 29: Fraud Protections, Cyber-Theft and Controls

• Out of Band verification for ACH and Wire transactions when funds are leaving your account.

• Does your bank provide a layered security?

Questions to ask your Banker

Page 30: Fraud Protections, Cyber-Theft and Controls

Control: Out-of-Band Authentication

Enhanced Multi-Factor Authentication1. User logs in with their Username andPassword

• Something you know

Page 31: Fraud Protections, Cyber-Theft and Controls

• 2. User is prompted to select channel for• delivery of One Time Password (OTP)

• • Something you have *

Control: Out-of-Band Authentication

Because of multi-factor authentication, fraudster can not independently loginto a user account.• Fraudster would need to know username/password AND have the users phone. *

Page 32: Fraud Protections, Cyber-Theft and Controls

• Require secondary approval of transactionsor key changes with OTP

Control: Transaction Verification

Page 33: Fraud Protections, Cyber-Theft and Controls

• Immediate fraud identification, reporting and escalation is required.

• Commercial Clients have a duty to secure their information.

• Losses due to commercial client negligence can possibly result in a loss to the client.

Consumer v.s. Commercial Banking fraud

Page 34: Fraud Protections, Cyber-Theft and Controls

• Bank should call to verify whether a transaction is authentic:

• The call should go to someone other than the person who initiated the transaction

• Call should be confirmed by a “PIN”

Control: Callbacks

Page 35: Fraud Protections, Cyber-Theft and Controls

• Reporting periods for are based on the method of fraud and other circumstances. Check with your bank and ask for their specific reporting criteria.

• Millions can be lost in minutes so don’t delay! Contact your bank and make them aware of the cyber theft.

• Immediate reporting is critical to the success of recovering and mitigating losses when fraud occurs due to the timeframes set by the Federal Reserve, UCC or NACHA

Consumer v.s. Commercial Banking fraud

Page 36: Fraud Protections, Cyber-Theft and Controls

• Reg E – Provides Consumer Protection.

• Consumers enjoy much more protection from cyber theft or banking fraud.

• There is less of a burden for consumers and more on Commercial Businesses

Consumer Protection

Page 37: Fraud Protections, Cyber-Theft and Controls

• Monitor your account and audit your NACHA files for fraudulent activity.

• Collectively participate in your own - Information Security

• There is varying case laws with commercial client breaches – each situation is unique

Commercial Clients

Page 38: Fraud Protections, Cyber-Theft and Controls

MOST IMPORTANTLY, if you think you have clicked, open or downloaded a virus or software program, notify your supervisor

and/or IT staff immediately

The longer you wait, the more damage can occur!!!

Prevention Methods continued

Page 39: Fraud Protections, Cyber-Theft and Controls

• FDIC - website (www.fdic.gov) offers a wealth of information on this and related topics

• FDIC - has produced an excellent video “Don’t be an Online Victim” which can be found on YouTube

Additional Resources

Page 40: Fraud Protections, Cyber-Theft and Controls

“The world isn’t run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of

data. “Sneakers (1992)

Kris Gjylameti


Top Related