AnatBird.com

Information Security: Staying Ahead of The Information Pirates

We’ve all heard of identity theft, phishing and fraud stories. It seems like the bad guys are getting stronger and more sophisticated. Are we all sitting ducks without any defenses? Not quite.

First, let’s acknowledge that phishers and other identity theft criminals have become incredibly sophisticated. They now own data-mining services used to first simply validate email addresses and then to segment them geographically and otherwise. The purpose of this additional investment in resources is to convert phishing (untargeted) to spear-phishing (targeted messages for improved effectiveness). This is highly organized crime, not an amateurish attempt at identity theft. I’m told there are 400 people in an office building outside Moscow dedicated to various specialties in an underground industry dedicated to “improving” the theft and illegal use of our confidential information.

The extent of malware availability is also staggering. You can buy ZeuS, the king of malware software packages, online as well as stolen credit and debit card numbers. There are specialized malware distribution services, validation services, both innocent and not-so innocent mules, etc. etc.

Second, let’s also acknowledge that we can’t stop phishing. It is out of our control. However, we CAN minimize our bank’s vulnerability to fraudsters and continue educating our customers to become more protective of their identity.

For example, ensuring that only customers who can handle the security responsibilities associated with ACH, remote capture and other online services, can get those services, is helpful. The risk profile of the target customer is key; not simply their sophistication. The customers can’t prevent phishing attacks anyway, so sophistication is less relevant.

The numbers can be intimidating:

· Over 74,000 systems were compromised by Zeus Trojan (a “mole” that sits inside the customer’s computer and pretends to be you; it intercedes between the time the customer logs in and inputs their token and the few seconds later when the customer transacts)

· 68,000 stolen credentials in one sample month

· 196 countries affected

These and other staggering statistics were discovered for a period of only one month.

How does it work?

The corporate customer gets infected with a “Trojan” and their credentials for the cash management system are stolen. A compromised computer from the client’s same geographic area is then used as the client logs into the cash management system within 24 hours. Multiple ACHs are batched, all under $10K, and sent to multiple accounts in the same region or throughout the US. Recipients, a.k.a. “mules”, get the job by responding to emails, “work from home” ads and other scams. They move the money and get a service fee for it. Sometimes they believe their work is legitimate.

The mules send the money via Western Union and other services to recipients outside the US. The bank is notified next business day, law enforcement is also notified and the bank starts the process of ACH reversals. It’s challenging, if not impossible, to bring the money back.

What can you do?

We first need to accept that this is a war of attrition. The bad guys penetrate our customers’ systems, we find ways to combat them, they innovate, we fight back, and so on. There is no perfect solution; only risk mitigation.

The current best practices to improve information security include:

· “One-on-one” contact – package a secure operating–system on a USB (stick) that can only go on your site. It ensures that, when the customer uses the system, it can only reach your system.

· Offer single use keys and browsers.

· Use strong authentication (tokens, multiple factor)

· Analyze usage vs. limits and set account-specific limits (e.g. transfer amounts no higher than last year’s highest transaction). Transactions exceeding the limits will not be rejected but suspended and require a phone call to verify authenticity

· Consider technologies that can identify compromised computers logging into your own infrastructure

· Deploy predictive systems that look for fraud fingerprints and trend transactions

· Follow NACHA best practices such as ACH debit blocks, exposure limits and monitoring

· Customer education is key. You can take the customer through phishing and malware attack simulations so they can recognize the signs and arm themselves against such attacks.

Treasury Management services provide tremendous fee income and customer retention opportunities to community banks. Don’t curtail your marketing activities. Instead, be at the forefront of the information security battle, helping your customers to achieve their business goals while managing the risk associated with effective cash management practices.