Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

November 18, 2013

Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud

The Retail Payments Risk Forum and the southeastern Regional Payments Associations (RPAs) cohosted an Executive Fraud Forum at the Atlanta Fed on October 30. Forum attendees engaged with speakers and panelists on such issues as the latest payments fraud trends, legislation and regulation, and best practices for financial institutions to mitigate risk in today's dynamic payments environment.

In one session, Federal Reserve Bank of Atlanta senior examiner Tony DaSilva discussed best practices to combat cybercrime. Cybercrime remains top of mind for financial institutions because denial-of-service attacks, which overload an institution's computers so customers cannot access their account information, can affect an institution's reputation and divert attention away from account takeover attempts. Account takeover is when a fraudster uses malware to attempt to steal a customer's valid online credentials and direct payments—often via wire and ACH—out of the customer's account. DaSilva suggests that financial institutions should assume that their systems are infected, and thus constantly, proactively monitor for cybercrime.

DaSilva also highlighted the importance for an institution's board and management to understand the nature of current cyber threats, assigning adequate IT resources and using industry tools to contend with cybercrime. DaSilva also emphasized the importance of following regulatory guidance.

A critical piece of regulatory guidance in this area is the Federal Financial Institutions Examination Council's (FFIEC) 2011 supplement to its 2005 guidance, Authentication in an Internet Banking Environment. The updated guidance recognizes the changing nature of cyber threats, including account takeovers, and emphasizes three area of responsibility for institutions.

  • Periodic risk assessments, at a minimum every 12 months, are important. In these assessments, institutions should consider the current threat landscape, changes in customers, and actual incidents, and then make adjustments to customers' authentication controls
  • Layered security for high-risk Internet-based systems should at a minimum detect and respond to anomalies and have robust controls for system administrators of business clients
  • Education should focus on making consumer and business customers aware of security steps, and should explain federal consumer protection provisions, risk controls offered by the institution and relevant institution contacts

For more on this topic, view Tony DaSliva's video interview and presentation on the conference web page.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 18, 2013 in cybercrime, malware, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b014a7228970c

Listed below are links to blogs that reference Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 05, 2013

Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business

Phishing is the practice of sending an e-mail that appears to originate from a legitimate representative of a company or government agency in an effort to get the recipient to click on an embedded link. The link takes the individual to a cleverly disguised imposter of a legitimate website. Here, the targeted victim is asked to enter various account credentials that the criminal records and uses later to access the individual's accounts. A refined version of phishing, known as "spear-phishing," targets specific employees to try to gain access to their companies' financial accounts or files. At mid-sized to large companies, such an e-mail could appear to be an internal directive from HR or IT.

While early phishing efforts were easier to spot through their spelling and grammatical errors or poor company logo reproductions, many criminals have become more sophisticated. They now produce well written and convincing messages with high-quality graphics that make the messages appear legitimate and create a sense of urgency. In some cases, a criminal's success in writing a convincing message comes through the practice of social engineering. He or she "researches" targeted individuals by gathering information about their interests, activities, family, and friend names, travels and other personal information through their social network sites. The criminal weaves some of this information into the phishing message. For example, if the criminal sees you are an avid golfer, you might get an e-mail that seems to be from a sporting goods company asking you to enter a sweepstakes contest to win a set of clubs. Most people would never think of providing information such as birthday, place of birth, or other personal data to a stranger they meet on the street, but often do so without hesitation on social websites.

Many employers provide periodic workplace security training including warnings not to click on links that are unknown or appear to be suspicious. Despite such efforts, an investigation conducted after a criminal online intrusion generally reveals that an employee did such a thing to start the chain of events. That employee's actions resulted in the disclosure of the information necessary to illegally access the company's accounts or to download malware into the employee's computer that sniffed for the account credential information and later relayed it to the criminal. Unfortunately, many small businesses neglect this education and find themselves victims of major financial losses that can threaten the viability of their entire businesses.

There are hardware and software solutions that provide some layer of protection to a business, but the best protection is having educated and aware employees who receive frequent training and reminders about the importance of solid workplace computer safety practices. Employees must be made to understand that lax or weak online security practices in their personal lives can be harmful to themselves and to their employers.

Tell us: how do you protect yourself and your business from phishing?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 5, 2013 in cybercrime, fraud, malware | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01910497c249970c

Listed below are links to blogs that reference Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d430443c3970c

Listed below are links to blogs that reference Are You the Weakest Link?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 15, 2013

Do Cyberattacks Threaten Confidence in Our Payment Systems?

This past October, former Defense Secretary and CIA Director Leon Panetta said, "A cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11." In the days leading up to this statement, multiple major U.S. banks were the targets of cyberattacks known as distributed denial of service (DDOS). In these attacks, which continue to take place on a steady basis, a bank's servers are overwhelmed by a flood of messages from networks of computers infected with malicious software (botnets) leading to website outages. Frequently, these attacks are politically motivated and are undertaken by foreign states. They are intended to be disruptive and create customer service dissatisfaction rather than to commit fraud.

At a recent conference I attended, security expert and former senior White House Advisor Richard Clarke suggested that technology and automated tools currently used to detect and prevent these attacks aren't always effective. For instance, firewalls can be penetrated and, although antivirus tools are good protection against the general hacker, they may not be as effective against the sophisticated malware that the well-organized bad guys are creating at alarming rates. The primary goal of implementing security measures is prevention, of course, but we have to be realistic in accepting there will always be some number of successful attacks requiring post attack countermeasures.

To date, these DDOS attacks have created only short-term inconveniences for consumers. I believe that consumers' overall confidence in payment systems remains high, and rightfully so. But the threat for a mass disruption to financial institutions and the payments community through a cyberattack on U.S. companies is real. Consider the potential ramifications that a nationwide cyberattack could have on the U.S. banking and payment systems. We need only look at the cash crunch that Hurricane Sandy caused to the payment system in the Northeast last October, when the area experienced prolonged electrical and resulting communication outages. The banking community, led by FS-ISAC and others, must continue its efforts to not only prevent, but also plan for a response to an extended, widespread cyberattack to avoid even worse disruptions and a subsequent loss in confidence in our payment systems.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 15, 2013 in cybercrime, malware | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d42cfa51e970c

Listed below are links to blogs that reference Do Cyberattacks Threaten Confidence in Our Payment Systems?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 11, 2012

A human firewall? Tips to keep information secure

As we've discussed on Portals and Rails in the past, PIN cardholder verification offered by ATM and debit cards has proven superior in preventing fraudulent transactions compared to signature cardholder verification. And while a PIN is a solid fraud deterrent, it is by no means 100 percent effective in reducing fraud. As we are in the midst of ATM and Debit Card Safety Awareness Month, it is important for consumers to understand their responsibility in the fight against cardholder fraud.

Financial institutions and the ATM and debit card networks have robust fraud detection and prevention systems and measures in place. However, cardholders need to view themselves as "human firewalls" of sensitive data, including ATM and debit card information and PINs. While fraudsters have become highly sophisticated at obtaining this data, weak PIN selection and security by cardholders makes it easier for fraudsters to commit their crimes.

In today's prolific social media world, weak PINs do not just include simple numbers such as "1111" and "1234." With more information than ever about us online, a birth date, address number, or even an anniversary date could prove to be an easily guessed PIN. According to a study by a Cambridge University Computer Laboratory team, one out of every 11 wallets could contain cards with easily discovered PINs. And ATM and debit card fraud can be more costly to cardholders than credit card fraud. Fraudulent ATM and debit card transactions verified by a PIN generally carry a higher consumer liability limit than do credit card or signature debit transactions. This is especially true if a consumer fails to report a card or PIN as lost or stolen or identify a fraudulent transaction in a timely manner.

In the spirit of ATM and debit card safety awareness, we encourage all cardholders to strengthen any weak PINs as well as follow these and other suggested tips from the PULSE ATM/debit network:

  • Monitor your financial account statements.
    Many experts recommend reviewing accounts online daily so that any suspicious activity is spotted quickly. Switch from postal delivery of statements to online access or ensure that mailed statements are sent to locked boxes and not left available to fraudsters.
  • Protect your wallet, purse and PIN.
    Carry only what you need and avoid carrying items with private information such as your Social Security number. Don't share your PIN with anyone. That means don't write it down and don't give it to a clerk or anyone else to enter for you.
  • Be extra alert at ATMs.
    Don't use an ATM if it is in an unlit or hidden area. Block the keypad while entering your PIN so you can't be observed. If an ATM looks phony or has a suspicious card reader that is loose or not part of the main body of the machine, do not use it.
  • Protect your online shopping.
    Update computer anti-virus software, anti-spyware, and firewalls. New attacks come frequently, and your software provider will frequently send updates to stop them. Use only secure sites and network connections when shopping online.
  • Protect personal information online.
    Limit social media access to friends only and don't "friend" people you don't know. Fraudsters use personal information such as birth dates, family and pet names, high schools, and birth cities to "verify" your identity.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 11, 2012 in cards, consumer fraud, identity theft, malware | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01630665afc9970d

Listed below are links to blogs that reference A human firewall? Tips to keep information secure:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 09, 2012

Mobile payments malware: Assault and low battery

According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.

I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.

Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.

The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.

The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.

Who is opening spam and why?

Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

April 9, 2012 in malware, mobile banking, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016303e2a50c970d

Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 09, 2010

Shopping at the Fraud Mall: Fictional fantasy or harsh reality?

One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.

Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.

In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.


Computer hacker billboard


Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.

I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.

Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.

Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.

The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."

Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.

By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c

Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 12, 2010

The confluence of payments, social networks, and malware: Elements of a perfect storm?

Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?

More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.


Fastest-growing-content-categories-via-application-access-on-mobile-devices
ENLARGE

Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.


Impressions-for-each-type-of-phishing-site
ENLARGE

Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.

Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.

Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c

Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 24, 2010

Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ee5157af970b

Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:

Comments

Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

Posted by: richard oliver | May 24, 2010 at 02:13 PM

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Posted by: Rob | May 24, 2010 at 01:49 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 26, 2010

Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult

The story is all too common. Malicious software infiltrates an unsuspecting victim's computer. The malware steals the victim's password and user name and gains access to his or her online bank accounts. Often times, the perpetrator steals the victim's funds through fraudulent wire transfers and ACH transactions, and the money ends up in accounts overseas, where the likelihood of recovery quickly diminishes. This year, banks and businesses alike experienced an increased level of cyber-attacks aimed at hijacking online banking accounts.

Although the crime itself is not new, the reason for concern is simple: hacking software is more sophisticated than ever, making detection and prevention more difficult. Because the legal boundaries for the liability of banking institutions are still evolving, this increasing sophistication poses a significant challenge.

Malicious software bypasses bank security
Some of today's most advanced malware can compromise security tokens and authentication techniques, demonstrating that even two-factor and multi-factor security techniques are vulnerable. Real-time Trojan horses—such as Clampi and Zeus—can allow the fraudster to use two- or multi-factor authentication security to steal banking credentials, thereby causing a weak link in the financial security chain. Other infections rewrite the bank's login screen that displays on the victim's computer and intercept the victim's credentials before they reach the bank's Web site.

A significant part of the growing threat to online banking are Zeus variants like the Mariposa botnet, which injects contents directly into Internet pages and intercepts credentials, preventing the user from sending them to legitimate sites. Luckily, online security firms and other officials shut down the Mariposa botnet in March, but not before its impact was felt worldwide.


Sophisticated-hacking-software
ENLARGE

Identifying the weakest link
Some banks are looking beyond their own security systems and focusing on what they perceive is their weakest security link: the user. A number of types of software are available to banks to help in their efforts to combat unauthorized intrusions. For instance, one type allows banks to remotely analyze the computers of hacked customers. The customer, upon suspecting a breach, downloads the software onto his or her computer, at which point the bank performs a quick search for any digital tracks, software, or other evidence the online hackers may have left behind. The information the software gathers can better inform banks of where attacks originate from, patterns, and trends—and, hopefully, lead to the eventual recovery of lost funds. Other types of software are designed for business banking systems that evaluate risk based on individual online actions and rate overall session activity by identifying inconsistent behaviors for each user.

So, the account has been hacked, now what?
The Electronic Funds Transfer Act and Regulation E protect consumers' online banking transactions from fraudulent electronic money transfers. Businesses accounts, on the other hand, must look elsewhere for similar protections. The Uniform Commercial Code Article 4A governs the allocation of fraud losses arising from funds transfers for business accounts. Under Article 4A, the bank will be held accountable for fraud losses only if it failed to follow a series of procedures, including adopting commercially reasonable security measures.

But what exactly does "commercially reasonable security measures" mean? Generally, banks have followed the practice that as long as the security the bank establishes and follows have been in line with commonly accepted commercial practices within the industry, then these security measures passed muster. Lately, however, this practice has not been as clear as it once was. In fact, this very question—that of what exactly constitutes commercially reasonable is at the center of several ongoing lawsuits, particularly one currently being heard in a Texas court.

Will this case, and the others that will follow, reshape the approach to secure online banking by establishing new standards that outline what counts as commercially reasonable security? And will those new standards require banks to upgrade to software designed to spy on the bad guys, monitor consumers' activities, or both? In reality, fraudulently penetrating banking security systems will occur no matter how sophisticated or reasonable the security measure. But as more consumers and businesses move to online banking, commercially reasonable expectations for securing online transactions should be calibrated against the technological sophistication of hackers and their software to improve detection and protection against online banking fraud.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.

April 26, 2010 in malware, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ecf7c998970b

Listed below are links to blogs that reference Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in