Online Fraud Trends – Staying Ahead of the Threats

1 ID Management in Financial Services – May 2005

Online Fraud Trends – Staying Ahead of the

Threats

Matthew Biliouris, Information Systems Officer – NCUA


Credit Union Industry Statistics

0

1,000

2,000

3,000

4,000

5,000

6,000

Website Type

Interactive

Non-Interactive

Total



-20.0%

-10.0%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

Interactive Non-Interactive Total

Website Growth

Jun-99

Dec-99

Jun-00

Dec-00

Jun-01

Dec-01

Jun-02

Dec-02

Jun-03

Dec-03

Jun-04

Dec-04



Percentage of FICUs By Website TypeDecember 31, 2004

41.2%

14.3%3.7%

40.7% None

Informational

Interactive

Transactional



FICU Assets By Website TypeDecember 31, 2004

3.5% 4.3%

90.0%

2.2%

None

Informational

Interactive

Transactional


Risk Assessment ProcessRisk Assessment Process

2. Understand2. UnderstandRisksRisks

3. Prioritize Risks3. Prioritize Risks

4. Develop & Implement 4. Develop & Implement Action PlansAction Plans

5. Monitor5. Monitor

1. Identify Risks1. Identify Risks


Security Programs

Gramm-Leach-Bliley Act – 501(b)– Outlines Specific Objectives– Requires NCUA establish standards for

safeguarding member records


Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access

Specifically Stated in §748.0(b)(2)



Security Programs

Appendix A – Guidelines for Safeguarding Member Information– Involvement of Board of Directors– Assess Risk– Manage & Control Risk– Oversee Service Providers– Adjust the Program– Report to the Board


Security Programs

Response Program Guidance– Increasing Number of Security Events– Congressional Inquiries– GLBA Interpretation– FFIEC Working Group– Revise Part 748-Add New Appendix B


Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access– Respond to Incidents of Unauthorized

Access to Member Information



Security Programs

Appendix B – Guidance on Response Programs– Components of a Response Program

Assessing Incident Notifying NCUA/SSA Notifying Law Enforcement Agencies Containing/Controlling Incident Notifying Affected Members


Security Programs

Appendix B – Guidance on Response Programs– Content of Member Notice

Account/Statement Review Fraud Alerts Credit Reports FTC Guidance


PART 748 APPENDIX B

Conflict with State Law – e.g., California Notice of Security Breach statute– Requires notice to California residents when

unencrypted member information is or may have been acquired by unauthorized person

– Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections


NCUA Expectations

Potential Questionnaire:– Incorporated into Overall Security Program– Escalation Process / Incident Response– Review of Notices – Attorney Review?– Enterprise Wide Approach– Reporting to Senior Management– Member Outreach / Awareness Programs– Employee Training Programs


“Phishing”


“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”

Arthur LevittArthur Levitt

Former Chairman of the SECFormer Chairman of the SEC

Quotes


Phishing 101

Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.


Phishing 101

E-mailSpoofed addressConvincing Sense of urgencyEmbedded link (but not always)


Phishing Trends

Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA


Phishing Trends

Source: APWG Phishing Attach Trends Report - March 2005

24 ID Management in Financial Services – May 2005Source: APWG Phishing Attach Trends Report – March 2005

Phishing Trends

25 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)








Examples (March 2004)

Source: Anti-Phishing Working Group Phishing Archive


Examples (March 2004)



Examples (May 2004)



Training / Policy Development

Awareness

Handling complaints & reports of

suspicious e-mails/sites

Protect on-line identity of credit union

Response Plan

Phishing Action Plans – Employee Education


Communication Methods

Internet Banking Agreements

Newsletters

Statement Stuffers

Recordings when on “hold”

Website (FAQs / Advisories / Links)

Phishing Action Plans – Member Education


Action Plan Ideas - Education






Content

We will never ask for xxx via e-mail

We will never alert you of xxx via e-mail

Always feel free to call us at # on statement

Always type in our site URL (see

statement / newsletter / previous bookmark)

Phishing Action Plan Ideas – Member Education


Content (cont’d) Sites can be convincingly copied

Report suspicious e-mails & sites

Where to get more advice on phishing

Importance of patching

How to validate site (via cert or seal)

Where to go for ID theft help

Phishing Action Plan Ideas – Member Education


Considerations:

Keep certificates up-to-date

Practice good domain name controls

Don’t let URLs lapse

Purchase similar URLs / Search for

similar URLs

Phishing Action Plan Ideas – Protection of CU’s Online Identity


NCUA

(8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions

(04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes

(05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance

FFIEC Agency Brochure

Phishing Resources






Inside the Examiner’s PlaybookInside the Examiner’s Playbook

Think GloballyVendor ManagementSecurity Program

(Part 748)Employee Remote

AccessRisk Assessment

Patch Management IDS/Incident

ResponseVirus Definition

UpdatesBCPFormal Policies





FFIEC IT Handbook


FFIEC IT Examination Handbook

Development & Acquisition

Management

Operations

Outsourcing

Retail Payment Systems

Wholesale Payment Systems

Issued: BCP Information

Security Supervision of

TSPs Audit E-Banking Fedline





Contact Information:

Matthew Biliouris

703-518-6394

[email protected]

Questions??

Online Fraud Trends – Staying Ahead of the Threats

Documents