Faces of Fraud What Every Institution Should Know
- Slides: 42
Faces of Fraud: What Every Institution Should Know Presented by: Tom Field Editorial Director Information Security Media Group: Bank. Info. Security. com CUInfo. Security. com Gov. Info. Security. com Healthcare. Info. Security. com
About Information Security Media Group • Publisher of Bank. Info. Security. com, CUInfo. Security. com, Gov. Info. Security. com and Healthcare. Info. Security. com • Focused on providing content about information security specifically for the private and public sectors • Daily articles, interviews, opinions, agency alerts, white papers • More than 100 educational webinars Learn more: https: //www. bankinfosecurity. com/checkout. Memberships. php
Agenda • Research Results • Faces of Fraud: – Skimming; – POS; – ACH. • Solutions • Resources • Questions?
About Fraud… Let’s Play Fraud Jeopardy! Answer: 45
About Fraud … Question: How many skimming incidents have their been so far in 2010?
About Fraud … Answer: – Phishing! – Smishing – Vishing! – (Oh, my …!)
About Fraud … Question: What do you call socially-engineered attacks against businesses via: • e-mail • Telephone • Text message
About Fraud… Answer: 130, 000
About Fraud… Question: How many accounts were impacted by the Heartland Data Breach? Other numbers: • 3, 000 – estimated # of institutions • $60 M – proposed Visa settlement • ? ? – amount of time and resources spent replacing cards, monitoring accounts, reassuring customers
The State of Banking Information Security 2010 10
About the Survey: Methodology Survey administered electronically in early 2010. • Banks: 43% • Credit Unions: 35% • $2 B+ Assets: 26% • $500 M - $2 B Assets: 17% • < $500 M Assets: 41%
2010 Hot Topics • Fraud: Fighting Back • Beyond Heartland: Secure Payments • New Services/Technologies: What’s hot, what’s now?
Fraud: Fighting Back • Which types of fraud have you experienced over the past year?
Fraud: Fighting Back • Which area of fraud do you feel best prepared to prevent in 2010?
Beyond Heartland The Heartland Impact 1 Year Later • Biggest breach ever recorded • Put industry on notice: Processors are the new target • Raised key question: ‘What does PCI compliance mean? ’
Beyond Heartland What is the likelihood of another major third-party data breach in 2010?
Beyond Heartland What is your level of confidence that PCI DSS can help prevent data breaches?
Beyond Heartland Several emerging technologies have been discussed as potential solutions for secure payments. Which is your preference?
Emerging Tech: What’s hot? It’s About So Much More than Mobile • Consumerization of banking; • Role of social networks; • Need for policies, secure solutions
Emerging Tech: What’s hot? Which social networking sites do you currently employ for marketing purposes?
Emerging Tech: What’s hot? Does your organization have a social networking policy for employees?
Emerging Tech: What’s hot? Do you monitor your employees’ social networking activity?
“What Could Make THE Difference…” What one factor could have the biggest positive impact on information security in your organization in 2010? • Regulatory compliance • • Emerging technologies Policies and procedures Training and education Employee/Customer awareness
The Answer What one factor could have the biggest positive impact on information security in your organization in 2010?
The Faces of Fraud 2010 25
Fraud Trends: 2010 Skimming • Beyond the ATM • Pay-at-the-pump, POS skimming incidents on the rise POS Attacks • Swapping out POS devices, i. e. Hancock Fabrics • Intercepting data in transit, i. e. Julie’s Place ACH/Wire (aka Corporate Account Takeover) • Banking credentials stolen • Huge sums transferred before anyone notices • Businesses, banks – even churches – at odds
Skimming “The small business owner isn't even expecting these kinds of attacks, and isn't prepared for them. ” - Mike Urban, FICO
Skimming Types of Attacks: • ATM – at bank or retail outlet; • Hand-Held – favorite of rogue wait staff;
Skimming Types of Attacks (cont. ): • Self-Service – Pay at the pump; • POS Tampering – Swap out or infect POS device.
POS Attacks "It's fairly easy in many cases. They'll come in, distract personnel and replace the equipment. " - Dr. Anton Chuvakin
POS Attacks Hancock Fabrics: Baldwyn, MS retail chain • • PIN units stolen, replaced; Minimum: 140 reports of fraud nationwide; One OK. Bank replaced 1000 cards. Risk: Real people lose real money.
POS Attacks Julie’s Place: Tallahassee, FL restaurant • Data hacked between POS and processor; • Minimum: 100 accounts, $200, 000; • Expert: “So now the hackers have moved to capture the data while it is in transit. ”
ACH/Wire Fraud “Talk is cheap, as we say in Texas. ” - Troy Owen, fraud victim
ACH/Wire Fraud What the Fraudsters are doing: • Infecting corporate computers used for ACH transactions; • Stealing banking credentials; • Creating unauthorized transfers – 100’s of 1, 000’s of dollars before noticed. • Did you know? Corporate Accounts are NOT Protected from Fraud Losses!
ACH/Wire Fraud Whom the Fraudsters Target: I. Plains. Capital Bank v. Hillary Machinery Inc. Cybercriminals transferred more than $800, 000 from Hillary’s Plains. Capital account via ACH and wire transfers. II. Experi-Metal vs. Comerica Bank Phishing e-mails to Comerica customers allowed hackers to access Experi-Metal’s online bank account and drain ~ $550, 000. III. Village View Escrow Inc. and Professional Business Bank Hackers broke into Village View’s network, stole bank credentials and sent $465, 000 in wire transfers out of the country. IV. Patco vs. Ocean Bank Patco’s corporate account was raided after cyber thieves took over the company’s online banking credentials. In six days, $588, 000 was drained and moved via money mules in the U. S.
ACH/Wire Fraud Latest Victim: Catholic Diocese of Des Moines • $600, 000 stolen; • $180, 000 recovered. "[The victims] don't have the same level of scrutiny that the major organizations go through, and they are less protected, less aware of the dangers. " – Cris Roberts, One World Labs
Fraud Solutions Employee Training • Be aware of latest threats – skimming, POS, ACH & others. Customer Awareness • Not just consumers, but businesses – Ensure safe practices, especially when online. Enhanced Monitoring • If it looks suspicious, investigate. Encourage employees to do the same.
New Fraud Survey The Faces of Fraud: Fighting Back • Gauge the scope of the multi-faceted fraud threat to U. S. banking institutions • Measure the industry’s preparedness for evolving threats • Identify specific strategies and solutions employed by banking/security leaders to fight fraud • Predict the emerging technologies and strategies where institutions are investing their resources http: //www. bankinfosecurity. com/surveys. php? survey. ID=9
News Resources ID Theft: Consumer Education Is Key http: //www. cuinfosecurity. com/articles. php? art_id=2834 ACH Fraud: 1 Year Later http: //www. cuinfosecurity. com/articles. php? art_id=2829 New Fraud Spree Investigated http: //www. bankinfosecurity. com/articles. php? art_id=2804 6 Steps to Reduce Online Fraud http: //www. bankinfosecurity. com/articles. php? art_id=2375
Resources Podcasts Partnering to Protect Privacy: Brian Dean of Key. Corp http: //www. bankinfosecurity. com/podcasts. php? podcast. ID=673 Banking Malware: End Users are ‘Achilles Heel’: Rocco Grillo of Protiviti http: //www. bankinfosecurity. com/podcasts. php? podcast. ID=659 Insider Threat: ‘You Can't Stop Stupid’: Dr. Eric Cole, author http: //www. bankinfosecurity. com/podcasts. php? podcast. ID=622
Resources Online Webinar Catalog http: //docs. bankinfosecurity. com/files/handbooks/Catalog-2010/
Questions Tom Field Twitter @Securityeditor Linked. In Tom Field E-mail tfield@ismgcorp. com Phone (603) 793 -6127