Small Changes Lead To Big Payoffs In Reducing Fraud

Banks can leverage their relationships with clients and empower to better control fraud.

Many financial institutions find themselves in difficult positions as a growing number of their customers are targeted for business takeover attacks. Hackers gain access to company funds through a variety of manipulations, often tricking an internal employee to send a wire transfer. Some corporates have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Banks are often stuck in the middle. Regardless of its lack of involvement in a fraudulent transaction, the bank will likely receive the first call when money goes missing.

Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.

Business takeover cases are simple on the surface, but can have complex details. In one recent example, a portfolio company from a private equity company sent an email to the PE firm’s chief financial officer seeking additional funds. A hacker who took control of the portfolio company’s email sent a follow-up email with the hacker’s bank account information to receive the fraudulent wire transfer. The CFO quickly recognized that something was wrong and called the bank. The company and the hacker used the same bank, which froze the funds. But the hacker successfully convinced the institution to release the funds and wired them out of the country.

While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.

Many banks still do not coach customers on how they can discourage takeover threats, or help them understand the tools at their disposal. For example, many banks offer two-factor authentication for wire transfers that customers choose to disable it, creating unnecessary vulnerabilities. When customers elect to turn off security controls, banks can intervene and help them understand how why those controls exist. Coaching can help clients avoid painful experiences.

In addition, banks should offer security information and training to their clients on a regular basis to help understand threats and the role the bank plays. Institutions need more visibility into emerging risks and the behavior and activity that clients need to avoid. They can use these touchpoints to check on their customers’ status, improve business relationships and discuss any additional necessary services. 

Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity. 

For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company that usually sends wire transfers under $20,000 suddenly sends one for $60,000. While large banks may not be able to pick up the phone to validate that transaction, community banks have an opportunity to reach out personally and provide more value than their larger counterparts.

Obviously, detecting a fraudulent wire transfer from within the bank is not always this straightforward. But the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.         

Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.

Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.

Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.

Will Iran Target U.S. Banks?

Should U.S. banks be concerned about possible cyberattacks from Iran following the killing of its top general, Qasem Soleimani, in a U.S. drone attack in early January?

Two federal banking regulators apparently think so.

The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a joint statement on Jan. 16 — 13 days after Soleimani’s assassination — to “remind supervised financial institutions of sound cybersecurity risk management principles,” including response and resilience capabilities, strong authentication controls and securely configured systems.

Iran responded to Soleimani’s killing four days later by firing missiles at two U.S. military bases inside Iraq, but that may not be the end of the matter. A short news item in the Jerusalem Post on Feb. 2 quoted Hashim Al-Haidari, an official in the Popular Mobilization Forces, a Shiite militia group that serves as an umbrella organization for a number of Iran-backed militias operating in Iraq, as saying that Iran’s initial reprisal was just a “first slap” and that “hard revenge” was coming.

What form might that revenge take?

Iran’s missile attack was a carefully calibrated reprisal, intended to limit the possibility of a major U.S. counterattack, according to Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. The Fulton, Maryland-based consulting firm was co-founded by Keith Alexander, a retired four-star Army general who was director of the National Security Agency and the first commander of the U.S. Cyber Command.

“They were very careful to control the way they responded in that one instance … but I also don’t think we’ve seen the end of the Iranian response,” Jaffer says. “They are likely to come at us again, whether that’s because they’re returning to their old behaviors or because they want to continue to respond to the killing of Soleimani — or maybe a little bit of both — but they will come back again because it’s how they operate.”

Jaffer says that Iran might respond in one of two ways (or perhaps even both). The first would be traditional terrorist attacks on overseas targets intended either to kill people or damage important infrastructure, like the September 2019 attack on Saudi Arabia’s state-owned oil company, Saudi Aramco. These direct attacks will most likely occur outside the United States and could involve U.S. allies like Saudi Arabia, a regional adversary of Iran. “I think they recognize that an attack like that, conducted inside the United States, would result in catastrophic consequences for their regime, and I don’t think they’re looking to do that,” Jaffer says.

A more likely longer-term response from Iran might be cyberattacks on targets inside the United States, including banks. Why banks? Because they are a critical component in the country’s financial infrastructure.

“Physical attacks are much more binary,” Jaffer says. “Either you go blow something up or you don’t, you kill somebody or you don’t, you attack a facility or you don’t. Cyberattacks can be ratcheted up or down in real time. You can go from a nuisance attack to destroying data and [then] back off of that. You can modify how you’re behaving, so they’re dynamically scalable in scope and nature.”

Cyberattacks also provide the source with some element of plausible deniability. “Iran wants to be seen as responding to the Soleimani attack, but they also at times want to be able to say, ‘Yeah, but it wasn’t really us.’ Even though they want you to know it was them and even though they in fact did it, they also want to be able to deny it publicly,” Jaffer explains.

Jaffer says that Iran’s cyber warfare skills should be taken seriously. “They have real capabilities,” he says. In 2014, Iran launched a highly destructive cyberattack on the Las Vegas Sands Corp., where according to Jaffer “they went in and bricked computers and deleted data.” A bricked computer is one that has been rendered useless through a cyberattack and cannot not be repaired through normal means, like installing a new operating system. Why would Iran target Las Vegas Sands? The casino company’s CEO, Sheldon Adelson, is a major supporter of Israel and once said the U.S. should consider dropping a nuclear bomb on Iran.

Between December 2011 and September 2013, Iran launched distributed denial of service attacks against 46 major U.S. financial institutions, according to a federal indictment against a group of Iranian hackers filed by the U.S. Department of Justice and the Southern District of New York. According to the indictment, these institutions incurred tens of millions of dollars in remediation costs. Banks should always be focusing on their cybersecurity defenses, of course. But the current hostilities between the U.S. and Iran, combined with Iran’s demonstrated willingness to use its cyber warfare against U.S. companies including banks, serves as a reminder that an ounce of prevention might be worth a pound of cyber cure.

The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

The Need for Secure Communications in the Boardroom


communication-5-21-19.pngBoards need to keep director communications secure, timely and accurate.

Communication can be a major challenge for busy board directors who need to touch base with their peers regularly, and it can introduce major security risks for the institution.

Boards tend to use different applications or multiple email accounts; the numerous multiple electronic platforms means that directors need to remember multiple user IDs and passwords. Directors sometimes resort to using their personal email accounts out of frustration with other systems or for personal convenience.

Many boards send sensitive internal governance communications through insecure communication channels. The use of personal email for internal board communications is widespread. A report Diligent Corporation conducted with Forrester Consulting discovered that 56 percent of directors use personal email for their board communications. Governance professionals and C-level executives also sometimes use their personal email for governance communications.

This is not a good practice. Cybercrime continues to evolve; attacks are increasingly sophisticated, and they are occurring with increasing frequency. Attacks are also becoming more complex, and recovering from digital breaches may become increasingly difficult.

Hackers specifically target directors, C-level executives and the people who support them in a tactic known as “whaling.” Hackers are keenly aware that boards regularly deal with information that is highly sensitive and confidential. Cyber criminals are likely to target high-profile individuals, threatening them with the release of private information unless they pay a ransom. When directors and other notable individuals use personal email accounts for corporate business, they are prone to falling victim to phishing and malicious cyberattacks that could harm the corporation.

Best practices for corporate governance require directors to communicate in ways that are secure, timely and accurate, and that reflect good governance principles. Encapsulated within the principles of good corporate governance is the need to use the right technology to support these efforts. Specific technology that protects the board’s internal communications can also streamline various processes. However, boards should look for specific tools with features such as remote wiping, given that nearly 30% of directors report losing or misplacing a phone, tablet or computer at some point.

The only way to keep sensitive and confidential information private is to use a secure digital messaging application. Look for applications that can work with existing digital infrastructure but are also secure. Some solutions help augment governance and accountability functions, which can address liability issues that email and other types of communications can sometimes create for board administrators and general counsels.

Probably the most difficult element of using secure communications in the boardroom is actually getting directors to use the technology. Getting board directors to change their habits can be a daunting task and something that can take time. However, with the right support and training, directors will be more willing to make the change.

Directors need to understand the importance of using the right technologies and why their current communication methods open the board up to risk. Assessing the security threat demonstrates to the board that the discussion topics and documents are highly sensitive and cannot risk being leaked. The right communication application should provide control to the administrator, with security being a top feature to ensure directors are protected.

Additionally, getting director buy-in from the start is crucial. It is important that boards realize what could happen if their emails are hacked and why they need to adopt secure communications avenues.

Providing your board of directors with the right reasons for needing secure communications is half the battle. Make sure your bank properly evaluates the various technologies to ensure that they will have the right training to properly leverage the tools.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

Your Board Can’t Ignore Biometrics and AI


biometrics-10-19-17.pngAs the digital landscape continues to evolve and consumers increasingly turn to digital devices to conduct business, bank directors and executives have made it clear—most recently in Bank Director’s 2017 Risk Practices Survey, conducted in January, and 2017 Technology Survey, conducted over the summer—that cybersecurity is the risk category they worry about the most. Given their high level of concern on the issue, it’s surprising—and troublesome—to see a significantly smaller number of bank leaders indicate that they don’t believe that biometrics and artificial intelligence (AI) will impact their financial institution over the next five years, because these technology solutions are already being leveraged in the industry.

technology-chart.png

“Passwords are not necessarily safe,” says Charlie Jacco, cybersecurity leader, financial services at KPMG. People tend to re-use passwords, or default to easily guessed ones: Password manager Keeper Security found that 17 percent use the password “123456,” and the company’s list of the 25 most common passwords of 2016 accounts for more than half of the 10 million passwords analyzed by the company. Cybercriminals use bots to crack passwords, but oftentimes individuals will respond to a phishing attack in an email and unwittingly provide their information directly to the criminals. Eighty-one percent of hacking-related data breaches in 2016 used either a stolen or a weak password, according to the 2017 Data Breach Investigations Report published by Verizon. “If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” wrote the authors of the report.

And it’s not just customers that use passwords. Employees have to log into a bank’s core system, call platforms, and the other technology solutions needed to do their jobs. “From the security aspect of being able to improve logins, to move away from having to remember a zillion passwords, is not only good for the customer … ultimately I think it is a larger impact to the bank associate or employee,” says Charles Driest, the director of digital banking at $1.3 billion asset Essex Bank, based in Richmond, Virginia.

Multi-factor authentication—requiring a single-use numeric code, for instance, in addition to a password—is one solution, but the experience isn’t convenient for the user, whose expectations are informed by companies like Amazon that strive to make shopping easy. “How do I get that slick customer experience for my consumers that they’re expecting, and still make it safe?” says Jacco.

Customers are growing increasingly comfortable with biometrics as a security solution, according to Javelin Strategy & Research. Scanning the user’s thumbprint is probably the most commonly used approach in consumer-facing technology, and facial recognition has been getting more attention of late, with Apple’s introduction of the iPhone X, which replaces opening the phone with a thumbprint to a facial scan. Apple claims that facial recognition is more accurate, with a 1 in 1 million error rate, compared to 1 in 50,000 for the phone’s thumbprint scan. Banks have been experimenting with voice recognition, another form of biometrics, for roughly a decade, with a few deploying this biometric within their mobile app.

At its best, biometrics weds security with an optimized experience. It’s more difficult to steal a thumbprint, but it’s still possible, says Jacco. Companies that want to enhance their cybersecurity protections will begin leveraging multiple biometric authentications. USAA already allows customers to use thumbprint, facial and voice recognition in its mobile app, and remembers the user’s preferred biometric. Varying the biometric modalities used by customers will lead to personalized services. A teller may use facial recognition to know who a customer is when they walk into a branch, or a wealth manager, through voice recognition, will know the client on the phone. “This is something that all of the big banks are talking about, and it will make its way across the whole industry,” says Jacco.

The industry still has work to do to make biometrics a more secure solution. Most major banks use biometrics in their mobile channel, but the app defaults to a password if the biometric isn’t readable, says Al Pascual, research director and head of fraud and security at Javelin. “They default to what is arguably the weakest security solution.” Security questions used in enrollment aren’t safe from hackers, either. The data breach revealed by Yahoo in September 2017 included the security questions and answers that users had chosen as a failsafe in the event of a forgotten password.

For biometrics to be truly secure, banks need to ensure that the person enrolling their biometric “is in fact who they say they are,” says Pascual. But he adds that new account fraud is on the rise, and banks need to work on their initial identity controls—making sure they know the customer—before tackling biometric enrollment. With the recent breach of Equifax’s data impacting the identities of half of the American population, this is no small task.

Artificial intelligence also shows great potential in protecting financial institutions from cybercriminals and from fraud, and staying on top of compliance. “Banks are overwhelmed by cyber risk management, and I don’t see how they can afford to ignore AI technologies,” says Joan McGowan, a senior analyst at Celent who defines AI as “the application of analytics, bots, robotic process automation and report generation.”

KPMG’s Jacco says that robotic process automation can help sort through potential cyber incidents to better identify what warrants further investigation—a task still best suited for human intelligence. He adds that fraud and security teams are more frequently collaborating to leverage AI.

AI continues to evolve, so it’s not a technology that banks can set and forget. Banks will need to employ data scientists and improve their data analytics capabilities, says McGowan—no mean feat in an industry where just 13 percent of executives and directors believe their institution effectively uses data, per the 2017 Technology Survey.

Almost half of bank boards discuss technology at every board meeting, and 38 percent discuss the issue quarterly, according to the Technology Survey. So why don’t more boards—or senior executives, for that matter—see the value in biometrics and AI? It’s possible that up-and-coming technologies just aren’t discussed frequently enough. Ninety-four percent say the board focuses on cybersecurity in discussions about technology, but significantly fewer use that time to focus on other technology-related concerns, such as staying on top of technology trends (40 percent) and evaluating new technologies (24 percent). Without understanding the solutions available for banks today, it will be increasing difficult for boards to oversee the cybersecurity risk facing their institution.

board-focus-chart.png

The 2017 Technology Survey was conducted in June and July of 2017, and examined how banks strategically approach technology. Bank Director surveyed 145 senior executives—including CEOs, chief information officers and chief technology officers—and independent directors of U.S. banks above $250 million in assets. Technology solutions provider CDW sponsored the survey.