fraud protections, cyber-theft and controls
Post on 30-Dec-2015
Embed Size (px)
DESCRIPTIONFraud Protections, Cyber-Theft and Controls. By: David T. Schwindt, CPA RS PRA. David T. Schwindt. - PowerPoint PPT Presentation
Presentation Title Optional Subtitle
Fraud Protections, Cyber-Theft and ControlsBy: David T. Schwindt, CPA RS PRA12David T. SchwindtDavid T. Schwindt, CPA, a native Oregonian, has over twenty five years experience in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindts tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals.
Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist RS, licensed by Community Associations Institute and a Professional Reserve Analyst PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council.
Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.2Cyber-theftAre we at risk?
YES!!3Who Should be concerned?Board MembersManagement CompaniesAffiliatesCPAsBookkeepersInsurance AgentsBankersAttorneyTreasurers who have control over reserve funds45Understanding the AdversaryKnown fraud rings are mostly Eastern European (Ukrainian, Russian, Romanian, Estonian) as well as AsianComplete service-based economy with specialists inATMsACH and wire payment systemsCheck processingCredit card processingOnline libraries, education, marketplace and recruitmentMalware kits sell for as little as $5,000Some kits even come with tech supportAttacks involve social engineering and technical aspects56The Goal of Criminals
Steal cashSteal information that can be converted to cash
67Dissecting a Zeus AttackAccount Take Over Dissecting an Attack1. Target Victims2. Install Malware3. Online Banking4. Collect & Transmit Data5. Initiate Funds TransferCriminals target victims by way of phishing or social engineering techniques The victims unknowingly install malwareon their computers, often including key loggingand screen shot capabilitiesThe victims visit their online banking website and log on per the standard processThe malware collects and transmits data back to the criminals through a back door connectionThe criminals leverage the victims online banking credentials toinitiate a funds transfer from the victims account.78PhishingCriminals phish for victims using emails, pop-ups and social engineeringUnsolicited phishing emails mayAsk for personal or account informationDirect the employee to click on a malicious linkContain attachments that are infected with malwareContain publicly available information to look legitimatePhishing emails can be very convincingFrom UPS: There is a problem with your shipment.From your bank: There is a problem with your bank account.From the Better Business Bureau: A complaint has been filed against you.From a Court: Youve been served a subpoena/selected for jury duty.From NACHA or the Federal Reserve: Your ACH or wire transaction has been rejected.From a job applicant: My resume is attached.89Sample Phishing EmailNACHA Phishing Alert (01/19/2010) Email Claiming to be from NACHA= = = = = Sample Email = = = = = Dear bank account holder,The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Please Find Attached Transaction Report_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Paul ArnoldElectronic Payments Association Manager= = = = = = = = = = = = = = = = = = = =
910Malicious Software (Malware)Downloaded to PC after employee opens infected attachments in an email or visits a nefarious websiteNewer malware can be acquired simply by viewing HTML emailsAllows criminals to see and track employees activities internally and on the Internet, including visits to online banking sitesCriminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate10If you are hacked and your money is gone, who will reimburse you?Bank?Management Company?Insurance Company?Fidelity Insurance?Computer Fraud Insurance?11SafeguardsPasswordsComplexChange passwords regularlyDo not shareDo not store on computerStand Alone ComputerNo web browsingNo emailsPassword12Dual Authorizations , online transactions should be coordinated with the BankFinancial/IT AuditsImplement recommendationsYearlyAudits vs Reviews
EducationBoard MembersManagement Company Personnel13Written ProtocolsControlsOngoing EducationIn the event of an attackContingency PlansDaily reviews of all online transactionsBanks require immediate notification
Firewalls, Anti-virus, IT Security Software, and Protocols14Who is ultimately responsible for ensuring that strong controls are in place to prevent cyber-theft?Association management companyIndependent AuditorInsurance AgentBoard of DirectorsBanker15Answer: D. Board of DirectorsHow does the Board of Directors fulfill this responsibility?Engaging professionalsCPAManagement CompanyInsurance AgentBankerIT ConsultantDocumenting protocols1617SummaryConduct periodic risk assessmentsEducate Board, management company, and committee members as to the threat, defenses and risksUse a stand-alone PC for online banking; prohibit email, web surfing, etc.Use dual control, dual authorization, activity limits, and receive alertsReview accounts and transactions regularlyRecognize the signs of malware on the PCSuspect malware? Stop, unplug the PC and contact your FI immediately.Comply with the PCI Data Security StandardsComputer fraud and Fidelity Insurance
1718A Classic Risk Management QuoteWhen anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accidentor any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.-Edward J. Smith, 1907(Captain, RMS Titanic, 1912)
18Cyber TheftPresented by Kris Gjylameti
Cyber Crime Growing TrendCyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study. Cyber-crime in 2009336,655 complaints received$560M lost (not including unreported incidents)Cyber-crime in 2008275,284 complaints received$265M lost (not including unreported incidents)
Sample Corporate Account Takeovers and Losses Pennsylvania School District - $450,000 New York School District - $500,000 Experi-Metal - $550,000 PATCO - $358,000 Hillary Machinery - $229,000 Illinois Town - $70,000 Marian College - $189,000 Sand Springs School - $80,000 Sycamore County Schools - $300,000 Village View Escrow - $465,000 Catholic Diocese of Des Moines - $600,000 Town of Pittsford, NY - $139,000 Steuben Arcs - $158,000 St. Isidores Catholic Church - $87,000 Two Trucking Companies - $115,000 MECA - $217,000
FDIC - TriviaDo you think that the FDIC will insure your money from a cyber theft event?
NOPrimary Targets Companies Cyber criminals are no longer attacking banks, they are targeting businessPrimary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are the perfect target Associations with large deposit amounts!!! Is this you?
Accept that these threats are real and it could happen to you!
The key is awareness and action on that awareness
If you notice behavior by your system, staff, affiliates or other personnel that just doesnt seem right, question itAwarenessDo not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you
Security information WILL NEVER be solicited by email
Only browse on internet for business related needsPrevention MethodsDoes your bank give board members online banking transaction capabilities?Do they ask if the board has proper internal controls?
Dual Controls in online banking
Multiple user approval features and approval levels
Questions to ask your BankerUser level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see.
Email notifications Have your balances changed?
Questions to ask your BankerOut of Band verification for ACH and Wire transactions when funds are leaving your account.
Does your bank provide a layered security?
Questions to ask your BankerControl: Out-of-Band Authentication
Enhanced Multi-Factor Authentication1. User logs in with their Username andPassword
Something you know2. User is prompted to select channel fordelivery of One Time Password (OTP)
Something you have *
Control: Out-of-Band Authentication
Because of multi-factor authentication, fraudster can not independently loginto a user account. Fraudster would need to know username/password AND have the users phone. *Require secondary approval of transactionsor key changes with OTP
Control: Transaction Verification
Transaction OTP requires