Cybercrime, the Invisible Gunslinger Threatening Your Financial Institution
Unmasking the 21st Century Bank Robber
by Lori Moore, Director of Compliance, ATTUS Technologies Inc.
In the old west, banks knew their enemy. Larger than life criminals such as Jesse James and Butch Cassidy were well known for brazen robberies that left bankers quaking in their boots. The Great Depression inspired another generation of highly recognizable bank robbers, as the likes of John Dillinger, Ma Barker, and Bonnie and Clyde terrorized banks across the Midwest in the 1930s. While armed bank robbery still occurs occasionally, today’s financial institutions are prepared to deal with gun toting criminals with security guards, surveillance cameras and teller panic buttons. These proactive solutions combined with stiff federal laws have deterred the traditional gunslinger almost to extinction. Rather than breathing a sigh of relief though, financial institutions now need to turn their attention to an enemy not nearly as well known but potentially far more dangerous. The cyber criminal is not only invisible, he or she has the ability to render your financial institution and/or your customers defenseless with nothing more than a keystroke.
The 21st Century Bank Robber Lurks in the Shadowy World of Virtual Reality
Possibly the scariest aspect of cybercrime is its ability to take seemingly innocuous actions and turn them against your financial institution without you even knowing until it’s too late. Everyone in your institution has hopefully heard of computer viruses, Trojan horses, malware infections and phishing attempts but if anyone thinks that casual awareness gives them a complete picture of their enemy, they are dead wrong. Just look at these five scenarios that, on the surface appear to represent harmless activities but in reality, brilliantly mask the deceptively dangerous trends in cyber crime. |
|
Complimentary Webinar
Get a Gold Star on Your ACH Audit!
 Have you revised your ACH Audit plan for 2010? If not, you won’t want to miss this session! Attendees will learn about the Rules Audit Enhancement rule amendment which went into effect December 18, 2009 and how these changes impact the 2010 ACH Audit. Just reading the audit requirements in the ACH Rules can be mind-boggling! This session summarizes the best practices to help Financial Institutions achieve an ACH audit that is fully compliant. We will also discuss areas that should be reviewed that are not included in "Appendix Eight", but can result in monetary loss and exposure.
5/25/2010 3:00PM to 4:00PM ET
|
|
|
Buying Software over the Internet
An individual, unrelated to your financial institution, goes online to purchase software to assist them in opening up their own business. The person searches for software that comes with a warranty, technical support and even version upgrades, and they find several options available to them, all at an affordable price. Within days, their new business is up and running. This scenario sounds innocent enough. Maybe this new small business owner might even be a potential customer of your institution in the future, right? Wrong!
Trend #1 - Cybercrime is becoming easier to perpetrate by relatively unskilled persons. This individual is joining the ranks of hackers and the software they just purchased is an “exploit kit,” giving him or her all the tools they need to hack into systems at your financial institution or at your customers. Organized crime syndicates are recognizing that supporting and sponsoring such low level criminals enhances their own potential for illegal gain. Security experts call this “crime-ware as a service,” but regardless it proves that less experienced hackers can more easily break in and access the support and tools they need to do the job.
Updating a Social Networking Profile
A highly dedicated employee at your institution eats lunch at their desk so that they can get right back to work as soon as they are done. They take this break to update their profile on a social networking site announcing that they just completed an arduous project at work. They don’t reveal where they work or even the context of their project, just a quick celebration of a job well done.
What could possibly be wrong with that? The employee followed your institution’s guidelines for keeping the specific details of their professional life secret. There’s no problem here, right? Wrong!
Trend #2 – Cyber criminals see the broad security loopholes with Web 2.0 and they are exploiting them. eWeek.com recently cited an IBM report revealing that legitimate sites contain more malware than suspicious sites do. Social networking sites top the list of most vulnerable because they are based on the idea of mutual trust. Malware’s invisibility allows it to take full advantage of that trust, scooping up personal and sometimes even professional information along the way without users being any wiser that their computer or their employer’s network might have been infected.
Branches Operating on an Older Version of Software
Your financial institution acquires four branches from another institution. A transition plan is in place to upgrade all existing hardware and software to be compatible with the rest of your institution. The timeline for completion is dependent upon resource availability and budget dollars. In the meantime, those branches are utilizing an older version of software or are operating on an older platform as they conduct branch business. This incongruity is only temporary; the danger from it is only minimal, right? Wrong!
Trend #3 – Cyber criminals know that the economy has left security budgets in tatters and they realize all too well the opportunity this scenario presents. If your institution’s firewalls and network perimeter defenses are built on newer versions of software or platforms and portions of your institution are still on older versions, then vulnerability exists. And that’s exactly the type of vulnerability the cyber criminal is waiting and watching for, and once it’s detected they will pounce on the customer data or corporate secrets they seek.
Small Business Owner Conducting Online Banking
Your very good, long-time small business customer, who has multiple accounts at your institution and has referred numerous other customers to you, logs into her online banking account to complete needed transactions. She loves the convenience of this option, not to mention the time it saves her as a business owner juggling many hats. As a financial institution, you appreciate the added loyalty that this service has engendered in your customer. Nothing could go awry, right? Wrong!
Trend #4 –Cyber criminals are enjoying the increased potency of malware. In this case, the small business owner experiences system issues and then complete unresponsiveness. She is unaware, as are you, that the ZueS Trojan has captured her logon credentials long enough for it to transfer thousands or hundreds of thousands of dollars out of her accounts. The “kill operating system” feature of this harmful malware delays notice long enough that it becomes very difficult for the financial institution to reverse the transactions. Either you or your customer is left holding the bag.
Customer Enjoying his New Smartphone
A private banking customer uses his Smartphone to call his bank representative to discuss business, possibly even providing his account number for reference. As he’s talking, the phone’s GPS is tracking his whereabouts which he thinks is cooler than cool. Plus he can multitask via the various apps on his phone. Life couldn’t be better when you can afford the latest gadgets, right? Wrong!
Trend #5 – Cyber criminals are figuring out how to infect Smartphones with Rootkits, a particularly dangerous form of malware capable of intercepting calls and any information relayed through them, as well as your customer’s exact location via that GPS. How long will it take that customer to learn that he has an unwanted eavesdropper listening in? According to the latest research by professors at Rutgers University, it could be quite awhile as it appears that Rootkits are harder to detect on Smartphones than even on desktops.
Round Up the Posse
In the days of Jesse James, the sheriff rounded up the locals to chase the thief’s gang out of town. During the 1930’s, it was the FBI who tracked down John Dillinger and Bonnie and Clyde. With today’s rampant cyber crime, law enforcement is still on your side, including the FBI’s dedicated cyber investigations unit. But you also need a posse of your own to fight the 21st century gunslinger. Think of your financial institution’s Information Security Program as the authority that deputizes all of your resources so that they can withstand the ingenuity of cyber criminals.
An effective Information Security Program is:
• Formally written and communicated to your board and all employees.
• Developed based on your institution’s actual processes and procedures.
• Balanced between the security needs and the business needs of your institution.
• Inclusive of key stakeholders throughout the institution rather than just IT and IS staff.
• Focused on four key security areas - anti-malware, data loss prevention, vulnerability assessment and software patches.
• Recognizes that the majority of attacks take advantage of inherent weaknesses in software and so demands that external or in-house developers create safer software.
• Cognizant of the amount and types of information collected and stored so that unnecessary data collection can be eliminated thereby reducing threats.
• Establishes an action plan for dealing with online fraud so that customer loyalty and organizational reputation are minimally impacted.
• Educates customers about their need to protect their own systems from cyber criminals.
• Watches for emerging technology that could be vulnerable to cyber criminals, such as the upcoming release of HTML5, peer-to-peer (P2P) file sharing and Remote Deposit Capture (RDC).
From Invisibility to Enlightenment
Cybercrime jeopardizes everything that is valuable to your institution - confidential data, reputation, assets, customer confidence and more. It’s also a crime that has enjoyed a tremendous boost from the recent recession. Not only have financial institutions’ security budgets been impacted but the weak economy gave cyber criminals added incentive to hack, infect and steal. They might have a mask of invisibility but studying the means, methods and motives of these 21st century gunslingers through your Information Security Program will shed much needed light on today’s “public enemy."
Lori Moore is a Certified Regulatory Compliance Manager. She is currently the director of compliance for ATTUS Technologies Inc., and has more than 25 years of experience in the financial services industry. During her career, she has gained in-depth knowledge and practical experience within all areas of community banking and has served in key positions, including vice president of operations, BSA officer, compliance officer, internal auditor and vice president of risk management. Moore was also designated as the Outstanding Graduate of the Texas Bankers Association Operations School.
|
