CUNA Mutual Group Proprietary

Reproduction, Adaptation or Distribution Prohibited

© CUNA Mutual Group 2013

Online Account TakeoverRoger Nettie

2

Session Outline

• Types of attacks

• Movement of funds

• Consumer versus commercial accounts

• Liability Issues

• FFIEC guidelines

• Online Account Opening & Funding

3

Types of Attacks

• Key Logging

• Man-in-the-Middle

• Man-in-the-Browser

• Account Recovery

• DDoS

–Disruptive?

–Distraction?

4

Keylogger Malware

SecureIT Researchers: ZeuS Trojan Detections on the Rise

• The ZeuS Trojan that was employed by cyber crime rings to steal millions of dollars from U.S. banks in fall 2010 appears to be making a comeback. Our SecureIT researchers spotted a 55% increase in ZeuS Trojan or Zbot detections thus far in Q2 2013 versus Q1 2013. The new version of the ZeuS Trojan dubbed a Zbot is a botnet targeted towards stealing your banking information. A botnet is a group of Internet connected devices that communicate with one another and carry out tasks simultaneously. These devices are capable of causing serious mayhem if they’re all instructed to attack a single target, like a bank, at the same time.

5

Movement of Funds

• Cross-member transfer

• Bill Payment

• ACH

• Wire Transfer

6

Terminology

• Member-to-Member (M2M)

– Cross-member transfer

• Account-to-Account (A2A)

– Member-generated ACH

– Debits and credits

• Person-to-Person (P2P)

– Consumer-friendly identification layer over ACH

– Generally sending funds

• Peer-to-Peer (also P2P)

– Book-entry closed systems such as PayPal

CU

Member

CU

MemberBook-entry transfer

CU

Member

FI

AccountBasic ACH origination

CU

Member

FI

AccountACH origination

Phone/email identifier

Vendor

Account

Vendor

AccountBook-entry transfer

7

Movement of Funds

• Cross-member transfer

• Bill Payment

• ACH

• Wire Transfer

• Money Mules

• Prepaid Debit Cards

8

Money Mules

• How they work

– Recruited through email-based work-at-home job scams

– Helping companies process payments

– Receives fraudulent transfer (often under $10,000), keeps a small percentage, and wire remainder to contacts abroad

• Problems they create

– Not the brightest individuals, trouble following instructions, mess up the details (reasons they are unemployed)

– Transposing digits in account and R&T numbers

– Failure to remove funds timely

– Might disappear with the money themselves

9

Hackers steal $527,000 from LES FCU account at bank

10

Credit Union Breaches

• Accounts at Corporate Credit Unions

• A $650,000 loss where a credit union gave new online password access to somebody over the phone for a business account, and the perpetrators drained the account using the bill payment feature.

• Large loss situation where thieves got into multiple member accounts, and used cross-member transfer capabilities to transfer funds into a single member's account. This single member fell for a money mule scam, and took the proceeds over to Western Union to make international wire transfers.

• Phishing of members, ACH credits

11

Credit Union Breaches

• Multiple waves of malware/mule and cross-member

transfers

• ACHs to prepaid debit cards

• ACH payroll, with security

• ACH payroll, without security

• Core processor breach of password information?

• Wire, confirmed through email

• Wires by phone, then wires by online request

12

Man-in-the-Browser Attacks

Cyber crook Password stealing

Trojan sent as

email attachment

or link to infected

website

User logs into online

banking system.

Trojan wakes up when

targeted online

banking website(s)

visited.

User enters transfers

– ACH or wires.

MITB overwrites

user’s transaction

changing dollar

amounts and

destination

accounts.

Funds are

sent to the

money mules

Mules withdraw money and wire

to cyber crooks

For educational purposes only

13

Overwrites User’s Transaction

This illustration is created for educational purposes only.

14

Consumer Versus Commercial Accounts, Liability

• Consumer Accounts

–Member negligence

–Regulation E

• Commercial Accounts

–Credit union accounts

–ACH transactions/Payrolls

–Wire transfers

–Uniform Commercial Code Article 4A

–Commercially reasonable security procedures

–Written funds transfer agreements

15

FFIEC’s Updated Authentication Guidance

• The Federal Financial Institutions Examination Council (FFIEC) issued updated authentication guidance on June 28, 2011

• Risk assessments

– Financial institutions must review and update risk assessments

• To reflect changes in the threat environment;

• Prior to implementing a new electronic service; or

• At least every 12 months

– Adjust authentication controls and add layered security controls as appropriate

• Enhanced multifactor authentication for high risk transactions

– ACH and/or wire transfer capabilities

• Implement administrative control capabilities for business accounts

• Implement layered security controls

– Multiple controls implemented at various points in the transaction process

– If one control is compromised, there are others in place to detect and prevent fraudulent transactions

• Implement customer awareness program

16

Authentication Options

• Something you know

– Password

– Challenge questions

• Something you have

– IP Address (pc recognition)

– USB token

– Smart card

– Password-generating token

– Digital certificates

• Something you are

– Biometrics

MITB Attacks have rendered what

were once considered strong

multifactor authentication methods

ineffective

17

FFIEC Updated Authentication GuidanceTypes of Layered Security Controls

• Fraud monitoring solution

– Monitor individual transactions for fraud

– Initial login and authentication

• Out-of-band authentication

• Out-of-band transaction verification

• Monetary and frequency limits

• Techniques to limit the use of the account – such as ACH debit blocks

• Restrictions on the days and hours of access

• Internet Protocol (IP) reputation-based tools to block connection to online banking servers from IP addresses known or suspected to be associated with fraudulent activities

• Enhanced controls over account maintenance changes initiated by customers through the online banking channel or through the call center

18

FFIEC Updated Authentication Guidance FFIEC’s Minimum Expectations

• Perform annual risk assessment

• A fraud monitoring method capable of detecting and effectively responding to suspicious or anomalous activity related to the initial login and authentication of customers and transfers to third parties

• Robust administrative function capabilities for business accounts

– The ability to set-up multiple users and assign specific levels of authority to each user;

– The ability to set-up monetary limitations for each user who is authorized to initiate payments and transfers initiated through bill pay, ACH, and wires;

– The ability to establish dual control requirements for initiating payments and transfers initiated through bill pay, ACH and wires;

– The ability for the administrator to receive activity reports from transaction logs for reporting purposes; and

– The ability for the administrator to receive account maintenance reports to assess the validity of any maintenance changes.

19

FFIEC Updated Authentication GuidanceMember Awareness Program

• Explain protections provided/not provided to members for electronic funds transfers initiated through online banking

– Indicate whether member is entitled to Regulation E protection

• Explain the circumstances, if any, and the means the credit union may contact the member on an unsolicited basis requesting account information

– Most credit unions indicate they will not contact members to request account information

• Explain safe online banking practices

• Recommend business members perform their own risk assessment

• Provide a list of credit union contacts in the event members notice suspicious account activity/experience security-related events

20

Online Account Opening, Account Funding

• Fraudulent opening of accounts

– Identity theft

– Account used for fraudulent purposes

• Deposit Fraud

– Remote deposit capture

– Electronic Deposits

• Fraud by member

• Fraud by outsider, account compromised

• Fraud by member’s new online friend

2121

Hardware-based

digital certificates

Knowledge-based authentication

Email verification

Password / shared secret

Level 3

Requires physical appearance

with government-issued

photo identification

Level 2

Online process that

compares personal

information against

widely referenced

databases

Level 1

Verification

of an email

address

Low

High

Authentication standards

Low High

Sec

uri

ty

Complexity & Cost of Implementation

22

What questions do you have?

2323

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates.

This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal

advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss

prevention techniques. No coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Protection insurance

products offered to credit unions, including the Fidelity Bond, Management & Professional Liability Policy, Special Insurance Package, Plastic Card Policy, Cyber & Security Incident

Policy, and Property/Business Liability Policy are underwritten by CUMIS Insurance Society, Inc., a member of CUNA Mutual Group. CUNA Mutual Insurance Agency, Inc., an affiliate

within CUNA Mutual Group, is the marketing agent licensed to broker various other property and casualty coverage. To determine underwriting company information for each policy type,

please refer to the actual policy documents and declarations pages. Coverage may vary or may not be available in some states. This summary is not a contract and no coverage is

provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.

CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates.

This is not intended to be legal advice but only a high-level review of the law. As the exact interpretation of the statutory requirements will depend on specific facts and circumstances,

credit unions are encouraged to consult independent legal counsel in interpreting the requirements of the law and its application to their operations.

CUNA Mutual Group Proprietary and Confidential. Further Reproduction, Adaptation, or Distribution Prohibited.

© CUNA Mutual Group, 2013. All Rights Reserved.