online account takeover - vacul · pdf fileonline account takeover roger nettie. 2 ......
TRANSCRIPT
CUNA Mutual Group Proprietary
Reproduction, Adaptation or Distribution Prohibited
© CUNA Mutual Group 2013
Online Account TakeoverRoger Nettie
2
Session Outline
• Types of attacks
• Movement of funds
• Consumer versus commercial accounts
• Liability Issues
• FFIEC guidelines
• Online Account Opening & Funding
3
Types of Attacks
• Key Logging
• Man-in-the-Middle
• Man-in-the-Browser
• Account Recovery
• DDoS
–Disruptive?
–Distraction?
4
Keylogger Malware
SecureIT Researchers: ZeuS Trojan Detections on the Rise
• The ZeuS Trojan that was employed by cyber crime rings to steal millions of dollars from U.S. banks in fall 2010 appears to be making a comeback. Our SecureIT researchers spotted a 55% increase in ZeuS Trojan or Zbot detections thus far in Q2 2013 versus Q1 2013. The new version of the ZeuS Trojan dubbed a Zbot is a botnet targeted towards stealing your banking information. A botnet is a group of Internet connected devices that communicate with one another and carry out tasks simultaneously. These devices are capable of causing serious mayhem if they’re all instructed to attack a single target, like a bank, at the same time.
5
Movement of Funds
• Cross-member transfer
• Bill Payment
• ACH
• Wire Transfer
6
Terminology
• Member-to-Member (M2M)
– Cross-member transfer
• Account-to-Account (A2A)
– Member-generated ACH
– Debits and credits
• Person-to-Person (P2P)
– Consumer-friendly identification layer over ACH
– Generally sending funds
• Peer-to-Peer (also P2P)
– Book-entry closed systems such as PayPal
CU
Member
CU
MemberBook-entry transfer
CU
Member
FI
AccountBasic ACH origination
CU
Member
FI
AccountACH origination
Phone/email identifier
Vendor
Account
Vendor
AccountBook-entry transfer
7
Movement of Funds
• Cross-member transfer
• Bill Payment
• ACH
• Wire Transfer
• Money Mules
• Prepaid Debit Cards
8
Money Mules
• How they work
– Recruited through email-based work-at-home job scams
– Helping companies process payments
– Receives fraudulent transfer (often under $10,000), keeps a small percentage, and wire remainder to contacts abroad
• Problems they create
– Not the brightest individuals, trouble following instructions, mess up the details (reasons they are unemployed)
– Transposing digits in account and R&T numbers
– Failure to remove funds timely
– Might disappear with the money themselves
9
Hackers steal $527,000 from LES FCU account at bank
10
Credit Union Breaches
• Accounts at Corporate Credit Unions
• A $650,000 loss where a credit union gave new online password access to somebody over the phone for a business account, and the perpetrators drained the account using the bill payment feature.
• Large loss situation where thieves got into multiple member accounts, and used cross-member transfer capabilities to transfer funds into a single member's account. This single member fell for a money mule scam, and took the proceeds over to Western Union to make international wire transfers.
• Phishing of members, ACH credits
11
Credit Union Breaches
• Multiple waves of malware/mule and cross-member
transfers
• ACHs to prepaid debit cards
• ACH payroll, with security
• ACH payroll, without security
• Core processor breach of password information?
• Wire, confirmed through email
• Wires by phone, then wires by online request
12
Man-in-the-Browser Attacks
Cyber crook Password stealing
Trojan sent as
email attachment
or link to infected
website
User logs into online
banking system.
Trojan wakes up when
targeted online
banking website(s)
visited.
User enters transfers
– ACH or wires.
MITB overwrites
user’s transaction
changing dollar
amounts and
destination
accounts.
Funds are
sent to the
money mules
Mules withdraw money and wire
to cyber crooks
For educational purposes only
13
Overwrites User’s Transaction
This illustration is created for educational purposes only.
14
Consumer Versus Commercial Accounts, Liability
• Consumer Accounts
–Member negligence
–Regulation E
• Commercial Accounts
–Credit union accounts
–ACH transactions/Payrolls
–Wire transfers
–Uniform Commercial Code Article 4A
–Commercially reasonable security procedures
–Written funds transfer agreements
15
FFIEC’s Updated Authentication Guidance
• The Federal Financial Institutions Examination Council (FFIEC) issued updated authentication guidance on June 28, 2011
• Risk assessments
– Financial institutions must review and update risk assessments
• To reflect changes in the threat environment;
• Prior to implementing a new electronic service; or
• At least every 12 months
– Adjust authentication controls and add layered security controls as appropriate
• Enhanced multifactor authentication for high risk transactions
– ACH and/or wire transfer capabilities
• Implement administrative control capabilities for business accounts
• Implement layered security controls
– Multiple controls implemented at various points in the transaction process
– If one control is compromised, there are others in place to detect and prevent fraudulent transactions
• Implement customer awareness program
16
Authentication Options
• Something you know
– Password
– Challenge questions
• Something you have
– IP Address (pc recognition)
– USB token
– Smart card
– Password-generating token
– Digital certificates
• Something you are
– Biometrics
MITB Attacks have rendered what
were once considered strong
multifactor authentication methods
ineffective
17
FFIEC Updated Authentication GuidanceTypes of Layered Security Controls
• Fraud monitoring solution
– Monitor individual transactions for fraud
– Initial login and authentication
• Out-of-band authentication
• Out-of-band transaction verification
• Monetary and frequency limits
• Techniques to limit the use of the account – such as ACH debit blocks
• Restrictions on the days and hours of access
• Internet Protocol (IP) reputation-based tools to block connection to online banking servers from IP addresses known or suspected to be associated with fraudulent activities
• Enhanced controls over account maintenance changes initiated by customers through the online banking channel or through the call center
18
FFIEC Updated Authentication Guidance FFIEC’s Minimum Expectations
• Perform annual risk assessment
• A fraud monitoring method capable of detecting and effectively responding to suspicious or anomalous activity related to the initial login and authentication of customers and transfers to third parties
• Robust administrative function capabilities for business accounts
– The ability to set-up multiple users and assign specific levels of authority to each user;
– The ability to set-up monetary limitations for each user who is authorized to initiate payments and transfers initiated through bill pay, ACH, and wires;
– The ability to establish dual control requirements for initiating payments and transfers initiated through bill pay, ACH and wires;
– The ability for the administrator to receive activity reports from transaction logs for reporting purposes; and
– The ability for the administrator to receive account maintenance reports to assess the validity of any maintenance changes.
19
FFIEC Updated Authentication GuidanceMember Awareness Program
• Explain protections provided/not provided to members for electronic funds transfers initiated through online banking
– Indicate whether member is entitled to Regulation E protection
• Explain the circumstances, if any, and the means the credit union may contact the member on an unsolicited basis requesting account information
– Most credit unions indicate they will not contact members to request account information
• Explain safe online banking practices
• Recommend business members perform their own risk assessment
• Provide a list of credit union contacts in the event members notice suspicious account activity/experience security-related events
20
Online Account Opening, Account Funding
• Fraudulent opening of accounts
– Identity theft
– Account used for fraudulent purposes
• Deposit Fraud
– Remote deposit capture
– Electronic Deposits
• Fraud by member
• Fraud by outsider, account compromised
• Fraud by member’s new online friend
2121
Hardware-based
digital certificates
Knowledge-based authentication
Email verification
Password / shared secret
Level 3
Requires physical appearance
with government-issued
photo identification
Level 2
Online process that
compares personal
information against
widely referenced
databases
Level 1
Verification
of an email
address
Low
High
Authentication standards
Low High
Sec
uri
ty
Complexity & Cost of Implementation
22
What questions do you have?
2323
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates.
This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal
advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss
prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Protection insurance
products offered to credit unions, including the Fidelity Bond, Management & Professional Liability Policy, Special Insurance Package, Plastic Card Policy, Cyber & Security Incident
Policy, and Property/Business Liability Policy are underwritten by CUMIS Insurance Society, Inc., a member of CUNA Mutual Group. CUNA Mutual Insurance Agency, Inc., an affiliate
within CUNA Mutual Group, is the marketing agent licensed to broker various other property and casualty coverage. To determine underwriting company information for each policy type,
please refer to the actual policy documents and declarations pages. Coverage may vary or may not be available in some states. This summary is not a contract and no coverage is
provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates.
This is not intended to be legal advice but only a high-level review of the law. As the exact interpretation of the statutory requirements will depend on specific facts and circumstances,
credit unions are encouraged to consult independent legal counsel in interpreting the requirements of the law and its application to their operations.
CUNA Mutual Group Proprietary and Confidential. Further Reproduction, Adaptation, or Distribution Prohibited.
© CUNA Mutual Group, 2013. All Rights Reserved.