1. ITLE TITLE 0 Association of Credit Union Senior Officers Weaving the Web Combating Internet Fraud ACUSO Annual Meeting November 17,2005

2. ITLE TITLE 1 Review & Discuss: >Recent FFIEC guidelines. >Types of authentication available today. >Types of threats out on the Internet. >What is being done to combat Internet threats. >What the credit union can do to protect your website and related Internet products. >What the credit union can do to educate your members. Association of Credit Union Senior Officers

3. ITLE TITLE 2 Online ID theft statistics >Perhaps the best known form of online theft is "phishing." There were 13,776 distinct phishing attacks in August, 2005 according to the Anti-Phishing Working Group. >An October survey commissioned by the Internet Security company Entrust found that 18 percent of Americans who have banked online now do so less, or not at all, because of security concerns. >Mixed feelings on implementing extra online security (two surveys)  Ninety four percent say they are willing to accept extra online security controls.  Eighty one percent complained about security, passwords, etc. >Survey stated eighty three percent do not want to pay for additional security controls. Association of Credit Union Senior Officers

4. ITLE TITLE 3 The FFIEC issued a report on Oct. 12, 2005 >Declaring single-factor authentication such as passwords inadequate to secure transactions that involve customer information or the transfer of funds to or from an account. >The report encourages financial institutions to adopt "enhanced authentication methods" that can identify customers online by the end of next year. >The guidelines leave it up to the institutions to choose the kind of authentication technology recommending the risk assessment process be followed. Association of Credit Union Senior Officers

5. ITLE TITLE 4 Authentication Methods Association of Credit Union Senior Officers

6. ITLE TITLE 5 First type of authentication - Something a person knows. >PIN or password >Watermarks >Secret question  If the user types in the correct PIN, selects the correct image or answers the secret question correctly, access is granted!  Recent statistics show most people have an average of 17 passwords! Association of Credit Union Senior Officers

7. ITLE TITLE 6 Second type of authentication - Something a person has. >A self-contained devices that must be physically connected to a computer.  This option increases the credit union or members hardware cost as it requires a reader of some kind on the member PC or laptop. >A device that has a small screen where a one-time password (OTP) is displayed. The user must then enter it to be authenticated.  Typically the OTP will change every 30 – 60 seconds and needs to be replaced every four-five years. Association of Credit Union Senior Officers

8. ITLE TITLE 7 Third type of authentication – Something a person is. >Fingerprint >Voice Pattern >Hand geometry >Retinal scan  This type of authentication is referred to as “biometrics.”  Requires installation of specific hardware. Association of Credit Union Senior Officers

9. ITLE TITLE 8 Biometric Digest Highlights: Fingerprint Readers >Affordability – Devices are down to $50 or less. >Convenience – Some password readers feature USB “plug and play” and allow for user switching, which makes it more convenient for multiple registered users on an XP computer. >Security  Solution should use leading edge technology biometric fingerprints sensors from companies that can enroll multiple fingerprints.  Look for devices that include software with the ability to encrypt and decrypt files using the enrolled fingers, keeping files safe from unauthorized users. Association of Credit Union Senior Officers

10. ITLE TITLE 9 Phishing Scams Association of Credit Union Senior Officers

11. ITLE TITLE 10 Phishing – Also known as carding and spoofing. >A form of social engineering, characterized by the attempts to fraudulently acquire sensitive information, such as passwords and account information via electronic communication such as email or instant message. Association of Credit Union Senior Officers

12. ITLE TITLE 11 Phishing – Also known as carding and spoofing. >While the first attempts were sent indiscriminately in the hope of finding a customer of a given financial institution or service. >Recent research has shown that phishers may in principle be able to establish what institution a potential victim has a relationship with, and then send an appropriate spoofed email to this victim. Such targeted versions are being called “Spear Fishing.” Association of Credit Union Senior Officers

13. ITLE TITLE 12 Presently, the standard means to verify a site is secured are; >Is the site displaying a security seal such as Verisign Secured? >Is there a padlock in the lower right-hand corner of your Web browser?  Indicates a Secure Sockets Layer (SSL) is in place.  https:// Association of Credit Union Senior Officers

14. ITLE TITLE 13 Phishing – CITI - Report October 24, 2005 >Email Subject Line: CitiBank Bank Security Management Team update >Description: The message received by the user is not well-written, but the rest of the scheme makes up for it. >The hyperlink text is for the real Citibank but after the user clicks the link in the e-mail the URL in the address bar is https://citibusinessonline.da- us.cytigroup.com/cbusol/signon.do.https://citibusinessonline.da- us.cytigroup.com/cbusol/signon.do >There is a lock icon on the bottom of the browser window. Association of Credit Union Senior Officers

15. ITLE TITLE 14 Phishing – CITI - Report October 24, 2005 >In short, the phisher was able to obtain a valid SSL (https) certificate to use as part of their scam. >If you click the "Verisign Secured" graphic in the web page it displays a Verisign web page that clearly says that citibusinessonline.da- us.citibank.com (not cytigroup.com) is a Verisign Secured site. But it's still the sort of difference that few people will notice. >The remaining screens in the phishing attack collect and harvest information. Association of Credit Union Senior Officers

16. ITLE TITLE 15 Phishing – CITI - Report October 24, 2005 >This example proves conclusively that following links in unsolicited e-mails is unadvisable. >Even the normal HTTPS facilities, valuable as they may be, are not proof that a site is what you think it is. >If you need to access one of your financial accounts, log into it through your normal bookmarks or by typing the URL. Association of Credit Union Senior Officers

17. ITLE TITLE 16 Popular Method of Phishing – Cross Site Scripting and Open Redirect URL’s >Fraudsters detect and exploit opportunities to run their frauds on the financial institutions’ own sites. >Taking advantage of mistakes in applications and web site management, fraudsters have been able to run phishing scams on sites belonging to Visa, MasterCard, SunTrust, Charter One, and Citizens Bank. Association of Credit Union Senior Officers

18. ITLE TITLE 17 Popular Method of Phishing – Cross Site Scripting and Open Redirect URL’s >Typically this has been achieved through use of cross site scripting and redirection URLs present on financial institutions’ sites. >Open redirects found on financial web sites are liable to be exploited by fraudsters to create a link to their site via the open redirect on the credit union’s web site. This makes the link look genuine, as it will appear to point to a page on the credit union’s web site and is particularly plausible if the credit union’s site is served using SSL, as the credit union’s SSL certificate will be used. >When a user clicks on the link, they may be unaware that they have been redirected to the phishing site. Association of Credit Union Senior Officers

19. ITLE TITLE 18 Popular Method of Phishing – Example of an ecard scam that is trickier than most phishing. >The ecard looks like it comes from Hallmark and asks you to download an attachment to pick up your ecard. However, the attachment isn't really an ecard -- it's a Trojan. >This particular Trojan then waits for you to sign onto AOL. If and when you do, it displays a pop-up window that looks like an AOL form, but asks you to verify/update your AOL billing info by providing your credit card, checking account info, and Social Security number. Association of Credit Union Senior Officers

20. ITLE TITLE 19 Fair Credit Report Act – FREE Credit Report Scams >An amendment to the Fair Credit Reporting Act requires each of the nationwide consumer reporting companies to provide consumers with a free copy of their credit report upon their request, once every 12 months. >The three companies have set up one central website, toll-free telephone number, and mailing address through which a person can order a free credit report. Association of Credit Union Senior Officers

21. ITLE TITLE 20 Fair Credit Report Act – FREE Credit Report Scams >The Federal Trade Commission (FTC), the nation’s consumer protection agency, wants you to know that, if you want to order your free annual credit report online, there is only one authorized website: annualcreditreport.com.annualcreditreport.com  To Order Your Free Annual Credit Report  Visit annualcreditreport.comannualcreditreport.com  Call toll-free: 1-877-322-8228  Mail your completed Annual Credit Report Request Form to: Annual Credit Report Request Service P.O. Box 105281 Atlanta, GA 30348-5281Annual Credit Report Request Form Association of Credit Union Senior Officers

22. ITLE TITLE 21 Fair Credit Report Act – FREE Credit Report Scams >These sites often look like the official site at annualcreditreport.com.annualcreditreport.com >Some use terms like “free report” in their names; others have website names that purposely misspell annualcreditreport.com in the hope that you will mistype the name of the official site.annualcreditreport.com >Some of these “imposter” sites direct you to other sites that try to sell you something or collect your personal information. >To learn about spam or report an occurrence visit www.ftc.gov/spamwww.ftc.gov/spam Association of Credit Union Senior Officers

23. ITLE TITLE 22 MALWARE

24. ITLE TITLE 23 Malware >Malware is a type of software designed to take over and or damage a computer user's operating system, without his or her knowledge or approval. >Once installed, it is often very difficult to remove, and depending on the severity of the program installed, its handiwork can range in degree from the slightly annoying (such as unwanted pop up ads while a user is performing regular computing tasks on or offline), to irreparable damage requiring the reformatting of one's hard drive, since much of malware is poorly written. Association of Credit Union Senior Officers

25. ITLE TITLE 24 Examples of Malware: Backdoor >A backdoor is a piece of software that allows access to the computer system bypassing the normal authentication procedures. Based on how they work and spread, there are two groups of backdoors.  The first group works much like a Trojan, i.e., they are manually inserted into another piece of software, executed via their host software and spread by the host software being installed.  The second group works more like a worm as they get executed as part of the boot process. Association of Credit Union Senior Officers

26. ITLE TITLE 25 Examples of Malware: Dialer >A dialer is a program that either replaces the phone number in a modem's dial-up connection with a long-distance number, often out of the country, in order to run up phone charges on pay-per-dial numbers, or dials out at night to send keylogger or other information to a hacker. Association of Credit Union Senior Officers

27. ITLE TITLE 26 Examples of Malware: Keylogger >A keylogger is software that copies a computer user's keystrokes to a file, which it may send to a hacker at a later time. >Often the keylogger will only "awaken" when a computer user connects to a secure website, such as a bank. It then logs the keystrokes, which may include account numbers, PIN's and passwords, before they are encrypted by the secure website. Association of Credit Union Senior Officers

28. ITLE TITLE 27 Examples of Malware: Browser Hijacker >A browser hijacker is any program designed to alter a computer user's browser settings. >These changes can sometimes come in the form of new web sites added to the user's bookmarks; the replacement of his or her home page to one set by the author; or, in the worst case scenario, the browser actually being redirected to various URLs of the author's choosing when certain addresses are typed or found in a search engine results page. Association of Credit Union Senior Officers

29. ITLE TITLE 28 PHARMING Association of Credit Union Senior Officers

30. ITLE TITLE 29 Pharming >Pharming is the exploitation of a vulnerability in the DNS server software that allows a cracker to acquire the Domain name for a site, and to redirect that website's traffic to another web site. >DNS servers are the machines responsible for resolving internet names into their real addresses — the "signposts" of the internet. Association of Credit Union Senior Officers

31. ITLE TITLE 30 Pharming >The domain name server acts as a "phone book" to associate the domain name of a website with its IP Address ("resolving the domain name"). >If the web site receiving the traffic is a fake web site, such as a copy of a bank's website, it can be used to "phish" or steal a computer user's passwords, PIN number or account number. is ignoring warnings about invalid server certificates. Association of Credit Union Senior Officers

32. ITLE TITLE 31 Web site Page Hijacking >A Linux web server running Apache and Open_SSL in the summer of 2004, it was patched only up to about 2000 levels. The web server was hosting several websites, including the webpage of our client (a Credit Union). >One night, the website was defaced, and the page put up in its place proclaimed an end to Israeli terrorism and a desire for Palestinians to have their own country. Association of Credit Union Senior Officers

33. ITLE TITLE 32 Through subsequent research on the group that claimed responsibility for the defacing it was learned that: >The website was defaced by a worm that exploits a known vulnerability in open source software. >The software that was exploited is often included in a standard Linux server running Apache. >The website would not have been defaced if basic patch management practices were followed. Association of Credit Union Senior Officers

34. ITLE TITLE 33 WHAT IS BEING DONE TO COMBAT THE THREATS?

35. ITLE TITLE 34 Single Sign On and a Federated System >Federated Identity or Identity Federation is a new approach to extending the reach of existing single sign-on systems through a secure exchange of user data among cooperating organizations, whether within a company or between companies. >Federation enables a seamless experience for the user across multiple services, gives companies better control over their user identities, and enhances security by reducing the number of places where the same user needs to be managed. >Single sign will still include at least two factor authentication. Association of Credit Union Senior Officers

36. ITLE TITLE 35 VENDORS IN THE NEWS Association of Credit Union Senior Officers

37. ITLE TITLE 36 Some Links to consider upon further research >RUTHERFORD, N.J. (9/27/05)--Credit Unions' Virtual Assistant (CUVA) and Green Armor Solutions are coming together to provide credit unions with an anti-phishing system. >Identity Cues combines technology and psychology to combat phishing, pharming and other forms of online fraud (Business Wire Sept. 21). >"Identity Cues makes it obvious to users whether they are using a credit union's legitimate website or a phony website set up to enable fraud. It also integrates with online banking applications and does not interfere with the online banking process. Association of Credit Union Senior Officers

38. ITLE TITLE 37 Some Links to consider upon further research >According to Green Armor, Identity Cues uses easily recognizable visual cues (such as colored letters) during every login for users to quickly, and even subconsciously, recognize if the site is genuine. >Cues are displayed as users type their usernames and passwords. They vary between users but are identical on each login for any particular user. Association of Credit Union Senior Officers

39. ITLE TITLE 38 Vendors in News - CYOTA >In March, a Pennsylvania Credit Union started rolling out a two-factor authentication technology from Cyota Inc. that analyzes and scores risks on individual online banking transactions. The scoring is based on criteria such as the end user's computer, IP address, geographic location and transaction history. >Users trying to conduct online banking transactions that the system flags as being high risk are authenticated via telephone calls or a challenge-and- response process. Association of Credit Union Senior Officers

40. ITLE TITLE 39 Vendors in News - CYOTA >The cost of implementing PassMark's technology for a bank with 50,000 online users is $1 per user annually, said Steve Klebe, a vice president at the Redwood City, Calif.-based vendor. >For larger banks, the yearly per-user cost can be less than the price of a single postage stamp, he added. Cyota's technology also costs less than $1 per user annually, according to the New York-based company. >In contrast, token-based authentication can easily cost up to $10 per user each year. Its cost and complexity tends to limit the use of tokens to high- value transactions or internal applications. Association of Credit Union Senior Officers

41. ITLE TITLE 40 Vendors in News – Digital Insight >The Digital Insight, a provider of outsourced Internet banking services, plans to soon start offering multifactor authentication capabilities based on technology from TriCipher Inc. in San Mateo, Calif. >TriCipher lets consumers use their computers as an authentication credential when conducting online transactions or store portions of their credentials on personal devices such as MP3 players. Association of Credit Union Senior Officers

42. ITLE TITLE 41 Vendors in News – L9.com >Safe2Login acts as a third-party trust authority employing mutual authentication technologies; a multifactor positive authentication process coupled with the ability to authenticate the banking server to the customer. >According to Safe2Login The recent NCUA and FFIEC Agencies guidance mandates a need to reliably authenticate customers and provide defense against Phishing and Pharming by verifying that the customer is in fact communicating with the correct banking server, not a spoofed site. >Mutual Authentication is the methodology required to meet these goals. Association of Credit Union Senior Officers

43. ITLE TITLE 42 Vendors in News – L9.com >L9.com’s Safe2Login authentication solution was the recipient of the 2005 CUNA Technology Council Future Forum “Best of Show" award. >Mutual Authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. >Currently, most credit unions do not authenticate their Web sites to the customer before collecting sensitive information. Credit Unions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer. Association of Credit Union Senior Officers

44. ITLE TITLE 43 Vendors in News – L9.com >Safe2Login’s customer verification process is classified as a layered Positive Verification process where Safe2Login, acting as a trusted third- party, ensures that material information provided by an applicant during login matches the information supplied during the secure registration process. >The Safe2Login multifactor authentication process requires that users know several pieces of information they supply to the system in a way that defeats "keyloggers."  This provides the Credit Union with an increased level of confidence that the customer is who they say they are. Association of Credit Union Senior Officers

45. ITLE TITLE 44 Vendors in News - Netcraft >Netcraft can perform an automatic search of a customer’s web sites to scan for possible redirection URLs in use, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development.  www.netcraft.com Association of Credit Union Senior Officers

46. ITLE TITLE 45 HOW TO PROTECT YOUR WEB SITE Association of Credit Union Senior Officers

47. ITLE TITLE 46 Protect your web site >Purchase and maintain all domain names that resemble the credit union’s web site address. >Ensure domain names are registered to the credit union CEO.  Review both Admin and Technical contact >Secure User ID and password. Association of Credit Union Senior Officers

48. ITLE TITLE 47 Protect your web site >Periodically change password and verify account information to ensure current.  Ensure a documented procedure is in place for this to occur. Do not leave it up to one employee. >Change all password information upon employee termination or absence. Association of Credit Union Senior Officers

49. ITLE TITLE 48 Protect your web site >Review web site daily to ensure pages have not been compromised. >Do not give web host provider or designers permission to make any changes to Domain records for contact or DNS information. >Remove all detailed contact information from web site. Association of Credit Union Senior Officers

50. ITLE TITLE 49 Protect your web site >Ensure web site and other on-line service providers perform security patches as threats are identified. >Review security reports and incidents from web host company and all other on-line services providers. >Contract a third party to perform remote vulnerability assessments if they are not periodically performed by the service provider.  Make sure objective third party performs RVA’s. Association of Credit Union Senior Officers

51. ITLE TITLE 50 Protect your web site >Ensure multiple employees or groups are receiving alerts on latest Internet security threats. >Ensure you have identified all vendors involved in your Internet services.  Follow risk assessment process including the collection, retention and disposal of membership information. Association of Credit Union Senior Officers

52. ITLE TITLE 51 HOW TO EDUCATE YOUR MEMBERS Association of Credit Union Senior Officers

53. ITLE TITLE 52 Educate your members >Provide written guidance upon entering web site.  Fraud prevention – link to correct “Free Credit Report.”  Link to latest threats.  Advise them to not work with their accounts on shared computers. Stay away from library and other public connections.  Change passwords frequently. >Consider implementing a maintenance/security board to notify your members of any threats, periodic maintenance, etc. >Consider a hot-line. Association of Credit Union Senior Officers

54. ITLE TITLE 53 Educate your members >Provide members guidance for reporting Internet Identity theft. >The Internet Fraud Complaint Center (IFCC) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). >IFCC's mission is to address fraud committed over the Internet. For victims of Internet fraud, IFCC provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected criminal or civil violation.  www.ifccfbi.gov/index.asp www.ifccfbi.gov/index.asp Association of Credit Union Senior Officers

55. ITLE TITLE 54 Educate your members >Provide members guidance for learning about and reporting SPAM. >This website has information about the Federal Trade Commission's recent law enforcement actions against deceptive commercial email and spammers' responsibilities under the CAN-SPAM law. >In the "For Consumers" section, you'll find tips on how to reduce the amount of spam email in your in-box.  www.ftc.gov/spam www.ftc.gov/spam Association of Credit Union Senior Officers

56. ITLE TITLE 55 Other Helpful Websites: Federal Computer Incident Response Center (Fed CIRC) @ http://www.fedcirc.gov Federal Financial Institution Examination Council @ http://www.ffiec.gov/ffiecinfobase/index.html http://www.ffiec.gov/ffiecinfobase/index.html US Computer Emergency Readiness Team (US-CERT) @ http://www.us-cert.govhttp://www.us-cert.gov Association of Credit Union Senior Officers

57. ITLE TITLE 56 Thank You!

58. ITLE TITLE 57 Buckley Technology Group Kristina Buckley, President kmb@buckleytechgroup.com www.buckleytechgroup.com 781.829.9934 130 Till Rock Lane, Norwell, MA. 02061 Preferred Information Security Business Partner Netivity Solutions www.netivitysolutions.com Skip Tappen Vice President and General Manager Netivity Solutions 271 Waverley Oaks Road Waltham, MA 02452 781-472-3466 Association of Credit Union Senior Officers