Phishing Corporate Account Takeover Risks Third Party

advertisement
2010 FIBA Conference
The Bank Fraud Reality:
Experiences and Perspectives of U.S. Banks
Michael B. Benardo
Cyber Fraud and Financial Crimes Section Chief
Division of Supervision and Consumer Protection
Federal Deposit Insurance Corporation
Outline
 Phishing
 Corporate Account Takeover Risks
 Third Party Payment Processor Risks
 Mobile Banking Risks
Phishing
Phishing
• An e-mail that looks like it is from a legitimate
source – PayPal, a financial institution, FDIC
• The recipient provides personal or financial
information, such as bank account or credit
card numbers, passwords, date of birth, social
security number
• Financial loss and/or Identify theft
Phishing
• Skyrocketed with significant increases since
mid-1990’s – ignited by Internet and PCs
• Criminals moved quickly to use newer
technologies – provided easy access &
anonymity
Typical Phishing e-mail
• Urgent!
• Use fear
• More sophisticated than in the past
Phishing and Related Threats
Spear Phishing
• Sending specific e-mail to a targeted group of recipients
• Leads them to a “spoofed” Web site that looks like the authentic Web site
Pharming
• Exploits vulnerability in DNS server software that allows a hacker to redirect Web
site traffic to another site
• DNS servers are responsible for resolving internet names into their real addresses
Spyware
• Malicious programs that can get onto computers
• Inside computer, can secretly change security settings & record keystrokes
• Criminals steal personal information (passwords, credit card numbers) to gain
access to your accounts
Other Phishing Threats
• Vishing
• Blended Threats
Corporate Account Takeover Risks
Corporate Account Takeovers
• Recent Headlines:
“Cybercrooks Stalk Small Businesses that Bank Online”
“European Cyber-Gangs Target Small U.S. Firms”
“Broad New Hacking Attack Detected”
Corporate Account Takeovers
• Impacting Web-based payment origination services
for business customers
• Resulting from compromised banking software login
credentials
– Business customers
– Municipalities
– Churches and Religious Institutions
Corporate Account Takeovers
• Fraudulent EFT transactions
– Automated clearing house (ACH)
– Wire transfers
• Crimeware (malicious software)
– Trojan horse programs
– Key loggers
– Other spoofing techniques
Corporate Account Takeovers
• Awareness, education and collaboration
– Financial institutions
– Small businesses
– Technology providers
– Law enforcement agencies and banking regulators
Corporate Account Takeovers
• SA-147-2009: Fraudulent Electronic Funds Transfers
www.fdic.gov/news/news/specialalert/2009/sa09147.html
• SA-185-2009: Fraudulent Work-at-Home Funds
Transfer Agent Schemes
www.fdic.gov/news/news/specialalert/2009/sa09185.html
Third Party
Payment Processor Risks
Payment Processor Relationships
• High Risk Activities
– Telemarketing
– On-line merchants
• Payment Types
– Remotely Created Checks
– ACH
Third Party Payment Processors
• Risks
–
–
–
–
–
–
Strategic Risk
Credit Risk
Compliance Risk
Transaction Risk
Legal Risk
Reputation Risk
• Financial institutions may be viewed as facilitating a
payment processor’s or a merchant client’s
fraudulent or unlawful activity
Third Party Payment Processors
Processor Due Diligence & Underwriting
• Policies and procedures
• Background check of processor and merchant clients
• Processor approval program that extends beyond
credit risk management
• Authenticate the processor’s business operations
and assess the risk level
Third Party Payment Processors
Ongoing Monitoring
• Monitor higher rates of returns or charge backs
• FFIEC BSA/AML Examination Manual urges financial
institutions to assess and manage risk with respect to
third-party payment processors
• Risk management program should include
procedures to monitor payment processor
information (i.e., merchant data, transaction volume,
charge back history)
Third Party Payment Processors
Red Flags
• Payment processors that use more than one financial
institution to process merchant client payments
• One or more of the relationships may be terminated
as a result of suspicious activity
• Payment processor’s merchant clients are
inappropriately obtaining personal account
information and using it to create unauthorized RCCs
or ACH debits
Third Party Payment Processors
When Fraudulent Activity is Suspected
 File a Suspicious Activity Report
 Require payment processor to cease processing for
that specific merchant
 Terminate financial institution’s relationship with the
payment processor
Mobile Banking Risks
Mobile Banking
• Banking: alerts, funds transfers, balance checking
• Payments: payments at point of sale, domestic P2P,
cross-border remittances
• Prepaid on the phone
Mobile Banking
• P2P initiatives introduced on mobile phone gaining
traction in United States:
– SMS texting – convenience may drive adoption
– iPhone, Droid, smartphone Apps
– “Bump” phones to exchange information
Mobile Payments
Haiti Earthquake Donations
• Bank agnostic payment – telecoms extending credit
• Error resolution issues:
– What happens if the $20 donation instruction you
sent to Haiti appears as a $200 or even a $2,000
charge on your bill?
– What if there is a disagreement about the error
between you and your wireless carrier?
Mobile Payments
Haiti Earthquake Donations
• Who regulates transaction to protect consumer from
identity theft, payment fraud and other payment
risks?
• Charity scams – FBI and other warnings
Mobile Banking/
Payment Security Threats
•
•
•
•
•
•
•
•
Mobile malware and viruses
Secure access
BSA and AML – prepaid on the phone
Un-trusted applications
Authentication
Identity theft
Regulatory framework
Who owns the customer? Consumer protections?
Questions?
Thank you!
Download