1 / 40

Fraud Protections, Cyber-Theft and Controls

Fraud Protections, Cyber-Theft and Controls. By: David T. Schwindt, CPA RS PRA. David T. Schwindt.

joan-schneider
Download Presentation

Fraud Protections, Cyber-Theft and Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fraud Protections, Cyber-Theft and Controls By: David T. Schwindt, CPA RS PRA

  2. David T. Schwindt • David T. Schwindt, CPA, a native Oregonian, has over twenty five years experience in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindt’s tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals. • Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist – RS, licensed by Community Associations Institute and a Professional Reserve Analyst – PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council. • Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.

  3. Cyber-theft Are we at risk? YES!!

  4. Who Should be concerned? • Board Members • Management Companies • Affiliates • CPAs • Bookkeepers • Insurance Agents • Bankers • Attorney • Treasurers who have control over reserve funds

  5. Understanding the Adversary • Known fraud rings are mostly Eastern European (Ukrainian, Russian, Romanian, Estonian) as well as Asian • Complete service-based economy with specialists in • ATMs • ACH and wire payment systems • Check processing • Credit card processing • Online libraries, education, marketplace and recruitment • Malware kits sell for as little as $5,000 • Some kits even come with tech support • Attacks involve social engineering and technical aspects

  6. The Goal of Criminals Steal cash Steal information that can be converted to cash

  7. Dissecting a Zeus Attack Criminals target victims by way of phishing or social engineering techniques 1. Target Victims The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account. 2. Install Malware 5. Initiate Funds Transfer The victims unknowingly install malware on their computers, often including key logging and screen shot capabilities Account Take Over Dissecting an Attack The victims visit their online banking website and log on per the standard process The malware collects and transmits data back to the criminals through a back door connection 4. Collect & Transmit Data 3. Online Banking

  8. Phishing • Criminals “phish” for victims using emails, pop-up’s and social engineering • Unsolicited phishing emails may • Ask for personal or account information • Direct the employee to click on a malicious link • Contain attachments that are infected with malware • Contain publicly available information to look legitimate • Phishing emails can be very convincing • From UPS: “There is a problem with your shipment.” • From your bank: “There is a problem with your bank account.” • From the Better Business Bureau: “A complaint has been filed against you.” • From a Court: “You’ve been served a subpoena/selected for jury duty.” • From NACHA or the Federal Reserve: “Your ACH or wire transaction has been rejected.” • From a job applicant: “My resume is attached.”

  9. Sample Phishing Email NACHA Phishing Alert (01/19/2010) – Email Claiming to be from NACHA = = = = = Sample Email = = = = = Dear bank account holder, The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association. Please Find Attached Transaction Report _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Paul Arnold Electronic Payments Association Manager = = = = = = = = = = = = = = = = = = = =

  10. Malicious Software (Malware) Downloaded to PC after employee opens infected attachments in an email or visits a nefarious website Newer malware can be acquired simply by viewing HTML emails Allows criminals to “see” and track employee’s activities internally and on the Internet, including visits to online banking sites Criminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate

  11. If you are hacked and your money is gone, who will reimburse you? • Bank? • Management Company? • Insurance Company? • Fidelity Insurance? • Computer Fraud Insurance?

  12. Safeguards • Passwords • Complex • Change passwords regularly • Do not share • Do not store on computer • Stand Alone Computer • No web browsing • No emails • Password

  13. Dual Authorizations , online transactions should be coordinated with the Bank • Financial/IT Audits • Implement recommendations • Yearly • Audits vs Reviews • Education • Board Members • Management Company Personnel

  14. Written Protocols • Controls • Ongoing Education • In the event of an attack • Contingency Plans • Daily reviews of all online transactions • Banks require immediate notification • Firewalls, Anti-virus, IT Security Software, and Protocols

  15. Who is ultimately responsible for ensuring that strong controls are in place to prevent cyber-theft? • Association management company • Independent Auditor • Insurance Agent • Board of Directors • Banker Answer: D. Board of Directors

  16. How does the Board of Directors fulfill this responsibility? • Engaging professionals • CPA • Management Company • Insurance Agent • Banker • IT Consultant • Documenting protocols

  17. Summary Conduct periodic risk assessments Educate Board, management company, and committee members as to the threat, defenses and risks Use a stand-alone PC for online banking; prohibit email, web surfing, etc. Use dual control, dual authorization, activity limits, and receive alerts Review accounts and transactions regularly Recognize the signs of malware on the PC Suspect malware? Stop, unplug the PC and contact your FI immediately. Comply with the PCI Data Security Standards Computer fraud and Fidelity Insurance

  18. A Classic Risk Management Quote “When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident…or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” -Edward J. Smith, 1907 (Captain, RMS Titanic, 1912)

  19. Cyber Theft Presented by Kris Gjylameti

  20. Cyber Crime – Growing Trend • Cyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study. • Cyber-crime in 2009 336,655 complaints received $560M lost (not including unreported incidents) • Cyber-crime in 2008 275,284 complaints received $265M lost (not including unreported incidents)

  21. Sample Corporate Account Takeovers and Losses •  Pennsylvania School District - $450,000 •  New York School District - $500,000 •  Experi-Metal - $550,000 •  PATCO - $358,000 •  Hillary Machinery - $229,000 •  Illinois Town - $70,000 •  Marian College - $189,000 •  Sand Springs School - $80,000 •  Sycamore County Schools - $300,000 •  Village View Escrow - $465,000 •  Catholic Diocese of Des Moines - $600,000 •  Town of Pittsford, NY - $139,000 •  Steuben Arcs - $158,000 •  St. Isidore’s Catholic Church - $87,000 •  Two Trucking Companies - $115,000 •  MECA - $217,000

  22. FDIC - Trivia Do you think that the FDIC will insure your money from a cyber theft event? • YES • NO

  23. Primary Targets – Companies • Cyber criminals are no longer attacking banks, they are targeting business • Primary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are the perfect target – Associations with large deposit amounts!!!

  24. Is this you?

  25. Awareness Accept that these threats are real and it could happen to you! • The key is awareness and action on that awareness • If you notice behavior by your system, staff, affiliates or other personnel that just doesn’t seem right, question it

  26. Prevention Methods • Do not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you • Security information WILL NEVER be solicited by email • Only browse on internet for business related needs

  27. Questions to ask your Banker • Does your bank give board members online banking transaction capabilities? • Do they ask if the board has proper internal controls? • Dual Controls in online banking • Multiple user approval features and approval levels

  28. Questions to ask your Banker • User level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see. • Email notifications – Have your balances changed?

  29. Questions to ask your Banker • Out of Band verification for ACH and Wire transactions when funds are leaving your account. • Does your bank provide a layered security?

  30. Control: Out-of-Band Authentication Enhanced Multi-Factor Authentication 1. User logs in with their Username and Password • Something you know

  31. Control: Out-of-Band Authentication • 2. User is prompted to select channel for • delivery of One Time Password (OTP) • • Something you have * Because of multi-factor authentication, fraudster can not independently log into a user account. • Fraudster would need to know username/password AND have the users phone. *

  32. Control: Transaction Verification • Require secondary approval of transactions or key changes with OTP

  33. Consumer v.s. Commercial Banking fraud • Immediate fraud identification, reporting and escalation is required. • Commercial Clients have a duty to secure their information. • Losses due to commercial client negligence can possibly result in a loss to the client.

  34. Control: Callbacks • Bank should call to verify whether a transaction is authentic: •  The call should go to someone other than the person who initiated the transaction •  Call should be confirmed by a “PIN”

  35. Consumer v.s. Commercial Banking fraud • Reporting periods for are based on the method of fraud and other circumstances. Check with your bank and ask for their specific reporting criteria. • Millions can be lost in minutes so don’t delay! Contact your bank and make them aware of the cyber theft. • Immediate reporting is critical to the success of recovering and mitigating losses when fraud occurs due to the timeframes set by the Federal Reserve, UCC or NACHA

  36. Consumer Protection • Reg E – Provides Consumer Protection. • Consumers enjoy much more protection from cyber theft or banking fraud. • There is less of a burden for consumers and more on Commercial Businesses

  37. Commercial Clients • Monitor your account and audit your NACHA files for fraudulent activity. • Collectively participate in your own - Information Security • There is varying case laws with commercial client breaches – each situation is unique

  38. Prevention Methods continued MOST IMPORTANTLY, if you think you have clicked, open or downloaded a virus or software program, notify your supervisor and/or IT staff immediately The longer you wait, the more damage can occur!!!

  39. Additional Resources • FDIC - website (www.fdic.gov) offers a wealth of information on this and related topics • FDIC - has produced an excellent video “Don’t be an Online Victim” which can be found on YouTube

  40. “The world isn’t run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of data. “ Sneakers (1992) Kris Gjylameti

More Related