svb online · pdf file•spear-phishing attacks ... security level and report unauthorized...
TRANSCRIPT
SVB ONLINE SEMINAR
It’s a Jungle Out There: How You Can Protect
Your Company from Business Account Fraud
July 28, 2010
2
Panelists
• Wesley Wilhelm - Senior Analyst, Aite Group, LLC
• Thomas Ravenelle - Assistant Special Agent in Charge, Federal
Bureau of Investigation
• Linda Coven - Head of Online Banking Solutions, Silicon Valley Bank
Online Banking Fraud: An Evolving Fraud
Environment
Wesley WilhelmSenior Analyst
Aite Group, LLC
4
Agenda
• It’s all about Authentication!
• Why should you care?
• Fraudsters & technology evolve.
• What do businesses & bankers say?
• The bank fraud environment.
• Fraud loss migrations in context.
5
Multi-Factor Authentication
Three basic ―factors‖
o Something the customer knows
• User ID, Password, PIN, security question answer
o Something the customer has
• Debit/Credit card, chip card, token, phone, etc..
o Something the customer is
• Biometric; voiceprint, fingerprint, iris/retina scan
o Multiple items of the same factor (e.g. 3 things the customer
knows) is not multi-factor.
6
Authentication Approaches
• User ID and Password
o Strong and Weak
• Security Questions
o Pre-defined, Customer selected
• Device Identification
o Active registration, Passive identification
• Knowledge Based Authentication
o Out of wallet, Bureau and non bureau based
• Tokens
o Hardware, Software, Disposable
• Out of Band Authentication
o Phone, email, website,
7
Why Is This An Issue?
• The average balance, per account, is in the range of $500,000.
• Half a million dollars, on average, in a single account immediately
makes the your account a high value target.
• Fiduciary responsibility by customer to reduce risk through
diversification of accounts.
• Protect corporate assets, fraudsters read the same press we do.
8
Tomorrow’s Challenges
• Fraud attacks are compromising multiple factors
o Log in credentials, one-time passwords,
o Device sessions in real time, and
• Convergence of telephony & computing
o Land lines to cell phones to smart phones
• Dual Band Single Use
• Dual Band Simultaneous Use
• The phone and the computer are one
9
Evolving Attack Methods
MITB – Man-in-the-Browser Attacks
o Stolen Online Banking log in credentials
• Activates on login & steals credentials & OTP
• Blocks session and re-logs in from another machine
o Remote Control
• Malware uses customer’s machine as a proxy to connect,
appears to be legitimate customer
o Session Hijacking
• Malware intercepts the session and activity then invisibly
changes payee and amounts
10
What do Businesses Say?
11
Concern About Security
12
What Bankers Say
13
Online Banking Fraud
14
The Fraud Environment
15
The Fraud Environment
16
The Fraud Environment
17
Shifting Losses
18
Shifting Channel Importance
19
Cross-channel, Online & RDC
FBI Cyber Investigations
Thomas RavenelleAssistant Special Agent In Charge
Federal Bureau of Investigation
21
FBI Cyber Program
• Cyber Division formed in 2002
• Cyber career path
o Cyber squads in all 56 field offices (4 in SF)
o National Cyber Investigative JTF
• Regional Cyber Action Teams
o Agents, forensic examiners, others
o Contractor support
22
Focusing on the Threat
• National Cyber Investigative Joint TF
o 17 LE and intelligence agencies
o Based in Northern Virginia
o Coordinates domestic cyber investigations
o Organized into Threat Focus Cells
• Informal dissemination within group
• Formal dissemination between agencies
23
The FBI Strategy
• Prioritize against the greatest threats
• Identify the most important actors
• Target them with sophisticated investigations
• Prosecute them wherever they are
24
FBI Cyber Priorities
• Counterterrorism Intrusions
• Counterintelligence Intrusions
• Criminal Intrusions
• Online Child Exploitation
• Intellectual Property
• Internet Fraud
25
FBI Criminal Investigations
• Various cyber-related offenses
o Unlawful access to computers
o Material support to terrorism
o Espionage/Economic Espionage
o Use of the Internet to trade child porn
o Intellectual Property Rights
o Fraud
26
Cyber Fraud Criminal Hierarchy
Coders
Bot Herders
Carders
Mules
Brokers
Vendors
Developers
Arrows
Kingpin
OC
27
Aggressive Investigations
• Techniques
o Undercover operations
o Wiretaps
o Confidential Human Sources
o Traditional investigative techniques
28
Getting the Word Out
• Dissemination ASAP of case information
o Even in active criminal investigations
• Informing those who can use the data
o Within government
• Intelligence Community
• Information Assurance – DHS, USCERT
o Private sector
• InfraGard
• ISACs
o General public
29
Getting the Word Out
30
Overseas Efforts
• FBI Agent assigned to Romanian National Police for last
four years
• Russia assisting with Cyber investigations and helping
FBI get more involved with Ukraine (Estonia and the
Hague soon)
• FBI Cyber asked to join Europol to combat organized
Cyber criminal efforts
• FBI International Operations Division
31
Panama City
Caracas
Santo Domingo
Bridgetown
Bogota
Brasilia
Santiago
Buenos Aires
San Salvador
Astana
Athens
Tallinn
Bucharest
Budapest
Sofia
Prague
Warsaw
Moscow
Sarajevo
Sofia
Kyiv
Tbilisi
Berlin
London
Paris
Bern
Madrid
Rome
Brussels
Vienna
Copenhagen
Ottawa
Mexico City
Algiers
Cairo
Lagos
Nairobi
Pretoria
Freetown
Dakar
Rabat
Canberra
Tokyo
Seoul
Hong Kong
Bangkok
Manila
Singapore
Beijing
Jakarta
Phnom Penh
Kuala LumpurAbu Dhabi
Amman
Ankara
Doha
Tel Aviv
Riyadh
Islamabad
New Delhi
Kabul
Baghdad
Sanaa
FBI Legal Attaché Offices
32
Mitigation Strategy
• Intelligence Information Reports and Intelligence Bulletins to ICo Scope of the scheme and Malicious code used
• Public Service Announcemento Detailed technical mitigation and prevention recommendations
o Posted on the Internet Crime Complaint Center (IC3) website
o Distributed via InfraGard, FS-ISAC, ECTFs & Visa
• Personal contact with all U.S. victims by cyber agents
• All Legal Attaches notified regarding foreign victims
• Identification of subjects & dismantlement of criminal infrastructure
33
Current Methods
• Small - medium-sized businesses attackedo Plus local governments and schools
• Spear-phishing attackso Directed to financial officer or credential holder
o Causes computer to be infected by malware• Harvests credentials
• Fraudulent ACH transferso To money mules
o Wired overseas
34
Money Mules
• Small armyo Some larger than1,600 and counting
o Some likely witting and some unwitting
• Recruited through ―Work at Home‖ Adso Also via Monster and CareerBuilder
• Hired as ―Financial Managers‖ or ―Payment Processors‖
• Open bank accounts in true names
• Receive ACH transferso Cash out
o Wire the money to account in
• Russia, Ukraine, Moldova
• Usually Western Union or Moneygram
35
How to Avoid Being Victim
• Do you visit websites by clicking on links within an
email?
• Do you reply to emails from companies or persons you
are not familiar with?
• Have you received packages to hold or ship to someone
you met on the Internet?
• Have you been asked to cash checks and wire funds to
an employer you met online?
• Would you cash checks or money orders received
through an online transaction without first confirming
their legitimacy?
• Would you provide your personal/banking information as
a result of an email notification?
36
FBI’s Internet Crime Complaint Center can be
found at www.ic3.gov
www.lookstoogoodtobetrue.com
What Your Company Can Do
Linda CovenHead of Online Banking Solutions
Silicon Valley Bank
38
The Key to Safety
38
•There is no silver bullet
•Mix solutions to match the threato Usabilityo Resource constraintso Business requirements
•At a minimumo Use the best security you can affordo Educate your employeeso Monitor your accounto Notify your bank of fraud ASAP
39
Primary Reasons Companies Experience Losses
Failure to enforce internal controlso Failure to reconcile or return checks on a timely basis
o Internal Fraud (by employees)
o Loss, theft or counterfeit payroll checks
o Mismanagement of on-line users (suspend or delete as appropriate)
o Changes of vendor addresses to employee’s address (Match your AP vendor address file to your employee file)
Failure to use fraud prevention serviceso Account Reconciliation
o Positive Pay/Payee Validation
o Reverse Positive Pay
o ACH Debit Blocks
Source 2008 AFP Payments Fraud and Control Survey
40
Internal Controls
Strong internal controls are essential1. Reconcile regularly: Daily account review accounts daily; weekly or monthly
account reconcilement to spot anomalies
2. Require two to tango: Separate duties so that it takes at least two people to complete a transaction-one who initiates and another who approves
3. Structure your accounts: Separate your operating accounts, rather than sharing accounts and access-and only allow access based on defined function
4. Review daily activity online
5. Physical controls over pre-printed check stock/facsimile signatures
6. Close accounts which have had fraudulent activity
7. Keep authorizations up-to-date
8. Know your employees: Verify references and check criminal background
9. Check accounting records closely for several months
10. Know your vendors
11. Protect your access credentials
41
Protect Your Computer
• Keep your operating system and Web browser up-to-date.
• Use anti-virus software and keep it up-to-date.
• Beware of Wi-Fi hotspots
• Do not install software without knowing what it is
• Downloading a new application is simple and convenient, but be
cautious about what you install
• Log off when you are through using SVBeConnect
• Do not click inside pop-up windows unless they are from a trusted
Web site
• Watch for people looking over your shoulder
41
42
Prevent Online Fraud
• Use strong passwords: Include letters, numbers and characters;
change frequently
• Protect confidential information, passwords/PINs
• Review/train online users
• Use dual control services when possible
• Make use of alerts: To flag large and unusual transactions and
activities
• Trust your eyes: Look for visual clues (e.g. last logon time)
• Take advantage of available fraud prevention tools
• Stay current and informed: Read bulletins and emails
• Logout: Do not simply close the browser, make sure you
actually use the log-out feature
42
43
FS-ISAC* Recommendations
• Reconcile accounts daily
• Mandate dual control
• Install a dedicated computer for accessing online banking and initiating payments
• Educate employees and customers on risks, including social engineering and computer security best practices
• Build internal relationships and cross-department event/incident information sharing (e.g. Fraud, Information Security, Compliance, Treasury Management)
• Incorporate external information into your incident response process
• Implement Positive Pay
• Assess and implement stronger information security technologies and best practices
• Implement fraud detection and predictive analytics systems
• Partner with law enforcement
• Perform risk assessments of IT software and hardware supply chain
• Understand, prepare and react quickly
• Work on developing long term infrastructure solutions
• For retailers, monitor card reversal transactions in order to detect fraudulent activity
• For retailers, establish clear procedures for handing card reversal transactions
* Financial Services - Information Sharing and Analysis Center
43
44
What Does SVBeConnect Offer?
We focus most fraud prevention activities behind the scenes, utilizing
multiple tools to monitor and profile behavior and activity so as not to
impact the client experience
• Controls
o Flexible controls for management of account/transaction access including multiple
levels of approvals by payment type, amount and account
o Dual administration of user entitlements
o Intra-day reporting of transactions
o Alerts of events, balances and transactions
o Positive pay
• Online security options
o Virtual slider (a software based token)
o Trusteer’s Rapport
o Call to Verify (Out of Band in session authentication)
o Choice of a virtual keypad or text pad to enter strong passwords
44
45
Fraud Resource Center
45
http://www.svb.com/fraud/
46
Trusteer’s Rapport
Rapport differs from Anti-Virus and Firewalls
o Locks down access to financial and private data instead of looking for
malware signatures
o Communicates with your online banking Web site to provide feedback on
security level and report unauthorized access attempts
o Enables you to take immediate action against changes in threat
o Blocks Zeus, Torpig, Silent banker and other Man in the Browser attacks
o Blocks malware attacks including key-loggers, screen scrappers and
pharming
o Enables phishing site detection and confirmation
46
47
Call to Verify Triggered
47
48
Call to Verify Code
48
4949
Questions?
5050
Wesley Wilhelm
Wesley Wilhelm is a senior analyst at Aite Group, LLC, covering fraud management, payments, and retail banking technology and operations with an emphasis on the ATM, branch and call center channels.
Mr. Wilhelm brings to Aite Group over 25 years of experience in banking and consulting to the banking industry. At banks, he has held management positions in risk and fraud management, credit card issuing, debit card issuing and ATM driving, merchant acquiring, and branch and call center operations.
Mr. Wilhelm is a recognized Fraud Management thought leader for his pioneering research on the Fraud Management Lifecycle Theory. He has been widely quoted by the press, in publications such as Banking Technology, Collections and Credit Risk, and USA Today, and has been a speaker at numerous industry/client events and conferences including Association of Certified Fraud Examiners (ACFE), Economic Crime Institute, ABA Bankcard Conference, and Inside ID. Mr. Wilhelm has published numerous articles on fraud management in publications such as Journal of Economic Crime Management, Credit Card Management, Card Technology, and the White-Collar Crime Fighter.
Most recently, Mr. Wilhelm was an operations executive at Merchant e-Solutions, where he led the launch of a merchant fraud and chargeback management service offering. Prior to that, he was vice president of retail risk management at JPMorgan Chase (formerly Washington Mutual) where, among other achievements, he managed to drastically reduce fraud losses within the Washington Mutual debit card portfolio. Previously, Mr. Wilhelm was a director of business consulting with FICO (formerly HNC Software Inc.) where he was involved in the development of eFalcon and the creation of Falcon ID. Before that, he held management roles at various banks, including Seafirst Bankcard Services (now part of Bank of America), Santa Barbara Savings and Loan, City Commerce Bank, and The Chartered Bank of London (now part of Union Bank).
He has taught university-level courses in Economic Crime Management at Utica College and led a seminar on Advanced Fraud Analysis at North Carolina State University.
A Certified Financial Crime Investigator, Mr. Wilhelm holds an M.S Degree in Economic Crime Management from Utica College, and a B.A in Economics and Political Science from the University of California. He is also an Olympic-style target archer.
Senior Analyst
Aite Group, LLC
509.448.3961
5151
Thomas Ravenelle
Assistant Special Agent in Charge (ASAC) Thomas P. Ravenelle entered the FBI as a Special
Agent in 1987. After completing New Agent training, he was assigned to the St. Louis Division,
where he served on a violent crimes squad responsible for bank robbery, extortion, and
kidnapping investigations.
In 1991, he was transferred to the San Francisco Division and assigned to investigate white collar
crime cases, including financial crimes and fraud matters. ASAC Ravenelle was reassigned to
investigate international and domestic terrorism matters in 1993.
In 1995, he successfully completed the Hazardous Devices Course at Redstone Arsenal,
Alabama and he was certified as a Special Agent Bomb Technician. ASAC Ravenelle was
promoted to Supervisory Special Agent in 1998 and he supervised several squads tasked with
investigating domestic terrorism, international terrorism, and criminal enterprise matters.
In 2006, ASAC Ravenelle was promoted to Team Leader in the Inspection Division at FBI
Headquarters. In this capacity, ASAC Ravenelle participated in more than 20 inspections of field
offices, FBIHQ divisions, and Legal Attache offices.
In 2008, ASAC Ravenelle was promoted to his current position and assigned as Program
Manager for the Cyber and Civil Rights programs for the San Francisco Division.
ASAC Ravenelle has served on both the St. Louis and San Francisco FBI SWAT teams, and he is
currently the San Francisco FBI SWAT Commander
Asst. Special Agent
FBI, SF Division
1919 Bascom Ave.,
Suite 400
Campbell, CA 95008
5252
Linda Coven
Linda Coven, Head of Online Banking Solutions Channel Management, is responsible for
developing and maintaining SVBeConnect, Silicon Valley Bank’s primary online banking platform.
SVBeConnect, is a system customized for SVB’s unique client base — technology and life
science companies, private equity firms, and the premium wine industry.
Linda has more than 25 years experience in all aspects of cash management and has held key
product management and sales management positions with leading financial institutions and
treasury management innovators, including Wells Fargo Bank, and BankBoston (Fleet). Before
joining SVB, Ms. Coven was a founding member of Clareon and Xign, two technology start-ups
that developed network-based electronic payment models.
Linda currently serves on the American Bankers Association’s Payments Systems Committee,
which acts as the ABA’s primary liaison with the Federal Reserve banks and Federal Reserve
board’s regarding payments system issues, corporate and retail banking operations, and relevant
Federal Reserve products and services. She has been a frequent speaker at industry forums and
was named the ―Voice of Financial EDI‖ by NACHA in 1999. She has published articles on
electronic commerce and electronic payments. Ms. Coven received her BS from Western
Michigan University and is a graduate of the University of Southern California School of
Management Executive MBA program. She is active in the California Humane Society and an avid
supporter of the Leukemia and Lymphoma Society’s ―Light the Night‖ program.
Head of Online
Banking Solutions
Silicon Valley Bank
408.654.7308
5353
Disclosures
This material, including without limitation the statistical information herein, is provided for informational purposes only. The material is based in part upon information from third-party sources that we believe to be reliable, but which has not been independently verified by us and, as such, we do not represent that the information is accurate or complete. The information should not be viewed as tax, investment, legal or other advice nor is it to be relied on in making an investment or other decision. You should obtain relevant and specific professional advice before making any investment decision. Nothing relating to the material should be construed as a solicitation or offer, or recommendation, to acquire or dispose of any investment or to engage in any other transaction.
The views expressed by third party presenters are their own and do not necessarily reflect those of SVB Financial Group, or its affiliates.
Silicon Valley Bank is a member of the FDIC and the Federal Reserve and it is the California bank subsidiary of SVB Financial Group, which is also a member of the Federal Reserve. Products and services offered by Silicon Valley Bank are not covered by SIPC or FDIC insured, are not deposits or other obligations of Silicon Valley Bank, and may lose value.
Neither SVB Financial Group nor its affiliates provide tax or legal advice; clients should consult their own accountants and attorneys for such advice. Aite Group and the Federal Bureau of Investigation are independent third parties and are not affiliated with SVB Financial Group or its affiliates.
