managing emerging technology riskmay 16, 2012 · id theft account takeover wire/ach fraud...
TRANSCRIPT
-
0
Managing Emerging Managing Emerging Technology Risk Technology Risk
Federal Deposit Insurance CorporationFederal Deposit Insurance CorporationNew York Regional OfficeNew York Regional Office
May 16, 2012May 16, 2012
-
1
Managing Emerging Technology Risk
Regulatory guidance and best practices for managing risks pertaining to:
- payment systems,- social media sites,- mobile banking, and- virtualization/cloud computing
Security and data integrity challenges in safeguarding customer information
-
2
Payment Systems
Non-Cash Payment Systems in the US:
Check Clearing Systems Automated Clearing House (ACH) Systems Card-based Credit/Debit (e.g., Amex,
Discover, MasterCard, Visa, etc.) Prepaid/Stored Value Card Programs Electronic Funds Transfer Networks (e.g.,
Star, Cirrus, Pulse, etc.) Person-to-Person or P2P (e.g., PayPal, etc.)
-
3
Payment Systems
Payments risk covers all FDIC supervisory disciplines:
Safety & SoundnessCompliance/Consumer ProtectionBank Secrecy Act / Anti-Money LaunderingTechnology/Operations
-
4
Corporate Account Takeover
Corporate accounts are targeted because of the large balances and the ACH credits that are generated have expedited funds availability.
-
5
Corporate Account Takeover
Methods used to obtain valid online banking credentials include:
Keylogging malware – records legitimate user’s keystrokes and sends to perpetrator
E-mail phishing – tricks legitimate user to send credentials or enter them at a web site
-
6
Security and Data Integrity Challenges
Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing
fraud are continuously evolving.
-
7
Cyber Fraud and Financial Crime Reports
FDIC Division of Risk Management Supervision
Technology Supervision Branch Cyber Fraud and Financial Crimes Section
-
8
Computer Intrusions3rd Quarter 2011
Computer Intrusions
759
369 376
495440
639
396331
0
100
200
300
400
500
600
700
800
2004 2005 2006 2007 2008 2009 2010 2011
3rd Quarter
Rep
orts
-
9
Computer Intrusion Losses by Type Code
3rd Quarter 2011
3Q11 Computer Intrusion Losses by Type Code
70%
12%
11%
1%1%1%
1%1%
2%ID Theft Account Takeover Wire/ACHFraudCounterfeit Cards
Credit Card Fraud
Computer Intrusion
Check Fraud
ID Theft Debit/Credit Card Fraud
Embezzlement Wire Fraud
Debit Card Fraud
All Other Codes (57)
-
10
Computer intrusion detection rates 3rd Quarter 2011
Computer Intrusion Detection 3Q11
38%
17%
15%
10%
4%
4%2%2%
2%2%2%2%
Customer Notified Bank
FI Employees
Not Detected
Card Network/PaymentProcessorRDFI
IRC - Employee AcctReviewsMoney Mules Notified
Western Union
Returned Wire Notice
Notified by a Reporter
University Detected
TSP Detected Bad IP
-
11
Online bank account takeovers3rd Quarter 2011
Online Bank Account Takeover Losses
-5
101520253035404550
4Q2010 1Q2011 2Q2011 3Q2011
MIL
LIO
NS
$$
Other Violations(Online AcctTakeover)
Wire TransferFraud
ComputerIntrusion
-
12
ID Theft reports 3rd Quarter 2011
ID Theft
11,330
8,9377,749
8,015
-
2,000
4,000
6,000
8,000
10,000
12,000
2008 2009 2010 2011
3rd Quarter
-
13
Wire transfer fraud reports 3rd Quarter 2011
Wire Transfer Fraud
4,235 4,178
3,4493,392
-
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
2008 2009 2010 2011
3rd Quarter
-
14
Wire Transfer Fraud Losses3rd Quarter 2011
Wire Transfer Fraud 3Q11 Losses
56%
8%
7%
6%
4%
3%
3%3%
2%2%
1% 1% 1%3%
Mortgage Fraud
Credit Card Fraud
Commercial Loan Fraud
Wire Transfer
ID Theft
Counterfeit Checks
Check Fraud
Online Banking
Terrorist Financing/MoneyLaunderingConsumer Loan
Computer Intrusion
Insider Fraud
Telephone Fraud
All Other (834)
-
15
Wire Transfer Fraud Financial Institution Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud Financial Institution Losses
34%
32%
23%
5%5% 0%
1%
Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverAdvanced Fee Scams
HELOC Account Takeover
Money Mule ReceivingFundsOnline Classified Scams
Romance Scam
Email AccountCompromisedUnspecified FraudulentWireUnauthorized EFT/ACHDebits
-
16
Wire Transfer FraudCustomer Losses 3rd Quarter 2011
3Q11 Wire Transfer Fraud Customer Losses
31%
21%16%
16%
14%0%2%
Online Classified Scams
Romance Scam
Online Bank AccountTakeoversEmail AccountCompromisedUnspecified FraudulentWireAdvanced Fee Scams
Unauthorized EFT/ACHDebitsCorporate AccountTakeoverConsumer AccountTakeoverHELOC Account Takeover
Money Mule ReceivingFunds
-
17
Wire Transfer FraudAll Losses
3rd Quarter 2011
3Q11 Wire Transfer Fraud All Losses
31%
24%17%
8%
6%
4%4%
3%
1% 0%2%Online Bank AccountTakeoversCorporate AccountTakeoverConsumer AccountTakeoverOnline Classified Scams
Romance Scam
Email AccountCompromisedAdvanced Fee Scams
HELOC Account Takeover
Unspecified FraudulentWireMoney Mule ReceivingFundsUnauthorized EFT/ACHDebits
-
18
Wire Fraud Loss- Ingress Channel3rd Quarter 2011
3Q11Wire Fraud Loss - Ingress Channel
30%
11%
10%10%
6%
5%
4%
3%
3%
3%3%
2%2%2%
2%2%1%
Email
Online Classifieds/Auction
Branch
Phishing/Malware
German/US IPS
Unknown
Email (originating from Malaysia)
UPS Letter
ID Theft/Account Takeover
Logged on from Local IP
Logged on from Customer's PC
Logged in from US IP
Logged in from Korea
FAX
Telephone Transfer
Mobile Device (Malaysia provider)
Other (11)
-
19
Debit Card Fraud
Volume
Means of Exploitation
-
20
Risk Mitigation Practices/Controls
Utilize multi-factor authentication
Install and regularly update firewalls, malware/spyware protection, and commercial anti-virus software
Initiate payments under dual control
-
21
Risk Mitigation Practices/Controls
Limit administrative rights on workstations
Encourage corporate clients to reconcile their bank accounts daily
Use AML/BSA Acct Monitoring Tools
Customer (Public) Awareness and Education and Employee Training
-
22
Information Technology (IT) Examinations
IT examinations address a wide range of data security issues such as:
Information security programs and compliance with Gramm-Leach-Bliley Act, Sect. 501(b) requirements;
Business continuity planning and physical security;
IT audit coverage and independent review of controls;
IT security strategies and policies and personnel controls
-
23
Primary Supervisory Examination Issues
Primary supervisory examination issues continue in the areas of :
Gramm-Leach-Bliley Act (GLBA) compliance
Vendor Management programs
Business Continuity/Disaster Recovery planning
IT Audit Coverage
Network/access controls
-
24
Mobile Device Fraud
Fraudulent Wire Transfer
Exploitation Methods
Risk Assessment
-
25
Social Media Sites
Security Risks
Reputation Risk
Corporate Governance
Resources
-
26
Risk Assessment Issues
GovernanceStrategic ConsiderationsPoliciesTopologyControlsContracts/AgreementsAudit
Cloud Services
-
27
Examination/Financial Institution Guidance
FFIEC Guidance on Risk Management of Remote Deposit Capture (FIL-4-2009)
Identity Theft Red Flags, Address Discrepancies, and Change of Address Regulations Examination Procedures (FIL-105-2008)
FFIEC Retail Payment Systems Handbook (FIL-6-2010)
FFIEC Guidance: Authentication in an Internet Banking Environment(FIL-103-2005)
Payment Processor Relationships-Revised Guidance (FIL-3-2012)
FDIC Supervisory Insights Journal (Quarterly)
-
28
Examination/Financial Institution Guidance (Continued)
FFIEC Supplement to Authentication in an Internet Banking Environment (FIL-50-2011)
Special Alert SA-147-2009: Fraudulent Electronic Funds Transfers(August 2009)
Guidance for Managing Third-Party Risk (FIL-44-2008)
National Institute of Standards & Technology (NIST)
Trade Associations (ABA, BITS)
PCI Security Standards Council
US CERT
-
29
Thank you!
-
30
Contact Information
Stephanie WilliamsExamination Specialist
(Information Technology)New York Regional Office
Gerald SuslakExamination Specialist
(Information Technology)New York Regional Office
Robert SargentExamination Specialist
(Information Technology)Boston Area [email protected]