Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fraud Protections, Cyber-Theft and Controls By: David T. Schwindt, CPA RS PRA.

Similar presentations


Presentation on theme: "Fraud Protections, Cyber-Theft and Controls By: David T. Schwindt, CPA RS PRA."— Presentation transcript:

1 Fraud Protections, Cyber-Theft and Controls By: David T. Schwindt, CPA RS PRA

2 2 David T. Schwindt David T. Schwindt, CPA, a native Oregonian, has over twenty five years experience in public and private accounting including employment with the Portland, Oregon and Denver, Colorado, offices of KPMG Peat Marwick. Mr. Schwindt’s tenure was spent primarily in the Private Business Advisory Services Department providing auditing, accounting, tax, and management consulting services for businesses as well as tax compliance and planning for individuals. Mr. Schwindt is a graduate of Western Oregon University where he received a Bachelor of Science Degree. He is a Certified Public Accountant in the State of Oregon, Washington, California and Arizona and is a member of the Oregon Society of Certified Public Accountants and the American Institute of Certified Public Accountants. He is a Certified Reserve Specialist – RS, licensed by Community Associations Institute and a Professional Reserve Analyst – PRA, licensed by the Association of Professional Reserve Analysts. He is a past director for Centennial National Bank and Columbine Valley Bank and Trust, Denver, Colorado and member of OWCAM and Oregon CAI LAC. Mr. Schwindt is past President of the Oregon Chapter of Community Associations Institute and was instrumental in organizing the Central Oregon Regional Council. Mr. Schwindt specializes in providing accounting, tax and reserve services to Homeowner Associations and currently services over 500 Associations in the Pacific Northwest.

3 Cyber-theft Are we at risk? YES!! 3

4 Who Should be concerned? Board Members Management Companies Affiliates –CPAs –Bookkeepers –Insurance Agents –Bankers –Attorney Treasurers who have control over reserve funds 4

5 5 Understanding the Adversary Known fraud rings are mostly Eastern European (Ukrainian, Russian, Romanian, Estonian) as well as Asian Complete service-based economy with specialists in –ATMs –ACH and wire payment systems –Check processing –Credit card processing Online libraries, education, marketplace and recruitment –Malware kits sell for as little as $5,000 –Some kits even come with tech support Attacks involve social engineering and technical aspects

6 6 The Goal of Criminals Steal cash Steal information that can be converted to cash

7 7 Dissecting a Zeus Attack Account Take Over Dissecting an Attack Account Take Over Dissecting an Attack 1. Target Victims 2. Install Malware 3. Online Banking 4. Collect & Transmit Data 5. Initiate Funds Transfer Criminals target victims by way of phishing or social engineering techniques The victims unknowingly install malware on their computers, often including key logging and screen shot capabilities The victims visit their online banking website and log on per the standard process The malware collects and transmits data back to the criminals through a back door connection The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account.

8 8 Phishing Criminals “phish” for victims using s, pop-up’s and social engineering Unsolicited phishing s may –Ask for personal or account information –Direct the employee to click on a malicious link –Contain attachments that are infected with malware –Contain publicly available information to look legitimate Phishing s can be very convincing –From UPS: “There is a problem with your shipment.” –From your bank: “There is a problem with your bank account.” –From the Better Business Bureau: “A complaint has been filed against you.” –From a Court: “You’ve been served a subpoena/selected for jury duty.” –From NACHA or the Federal Reserve: “Your ACH or wire transaction has been rejected.” –From a job applicant: “My resume is attached.”

9 9 Sample Phishing NACHA Phishing Alert (01/19/2010) – Claiming to be from NACHA = = = = = Sample = = = = = Dear bank account holder, The ACH transaction, recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association. Please Find Attached Transaction Report _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Paul Arnold Electronic Payments Association Manager = = = = = = = = = =

10 10 Malicious Software (Malware) Downloaded to PC after employee opens infected attachments in an or visits a nefarious website Newer malware can be acquired simply by viewing HTML s Allows criminals to “see” and track employee’s activities internally and on the Internet, including visits to online banking sites Criminal uses captured credentials to conduct unauthorized transactions that otherwise appear to be legitimate

11 If you are hacked and your money is gone, who will reimburse you? Bank? Management Company? Insurance Company? –Fidelity Insurance? –Computer Fraud Insurance? 11

12 Safeguards Passwords –Complex –Change passwords regularly –Do not share –Do not store on computer Stand Alone Computer –No web browsing –No s –Password 12

13 Dual Authorizations, online transactions should be coordinated with the Bank Financial/IT Audits –Implement recommendations –Yearly –Audits vs Reviews Education –Board Members –Management Company Personnel 13

14 Written Protocols –Controls –Ongoing Education –In the event of an attack Contingency Plans Daily reviews of all online transactions –Banks require immediate notification Firewalls, Anti-virus, IT Security Software, and Protocols 14

15 Who is ultimately responsible for ensuring that strong controls are in place to prevent cyber-theft? A.Association management company B.Independent Auditor C.Insurance Agent D.Board of Directors E.Banker 15 Answer: D. Board of Directors

16 How does the Board of Directors fulfill this responsibility? Engaging professionals – CPA – Management Company – Insurance Agent – Banker – IT Consultant Documenting protocols 16

17 17 Summary Conduct periodic risk assessments Educate Board, management company, and committee members as to the threat, defenses and risks Use a stand-alone PC for online banking; prohibit , web surfing, etc. Use dual control, dual authorization, activity limits, and receive alerts Review accounts and transactions regularly Recognize the signs of malware on the PC Suspect malware? Stop, unplug the PC and contact your FI immediately. Comply with the PCI Data Security Standards Computer fraud and Fidelity Insurance

18 18 A Classic Risk Management Quote “When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident…or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” -Edward J. Smith, 1907 (Captain, RMS Titanic, 1912)

19 Cyber Theft Presented by Kris Gjylameti

20 Cyber Crime – Growing Trend Cyber thieves have costs US companies more than $ 15bn in the past five years, the FDIC corporation found in a recent study. Cyber-crime in ,655 complaints received $560M lost (not including unreported incidents) Cyber-crime in ,284 complaints received $265M lost (not including unreported incidents)

21 Sample Corporate Account Takeovers and Losses  Pennsylvania School District - $450,000  New York School District - $500,000  Experi-Metal - $550,000  PATCO - $358,000  Hillary Machinery - $229,000  Illinois Town - $70,000  Marian College - $189,000  Sand Springs School - $80,000  Sycamore County Schools - $300,000  Village View Escrow - $465,000  Catholic Diocese of Des Moines - $600,000  Town of Pittsford, NY - $139,000  Steuben Arcs - $158,000  St. Isidore’s Catholic Church - $87,000  Two Trucking Companies - $115,000  MECA - $217,000

22 FDIC - Trivia Do you think that the FDIC will insure your money from a cyber theft event? YES NO

23 Primary Targets – Companies Cyber criminals are no longer attacking banks, they are targeting business Primary banking products are ACH and wire transfers, Online Bill Pay, E payments Management Companies are the perfect target – Associations with large deposit amounts!!!

24 Is this you?

25 Accept that these threats are real and it could happen to you! The key is awareness and action on that awareness If you notice behavior by your system, staff, affiliates or other personnel that just doesn’t seem right, question it Awareness

26 Do not open attachments or enter links where the sender is not know to you or the information was not solicited/initiated by you Security information WILL NEVER be solicited by Only browse on internet for business related needs Prevention Methods

27 Does your bank give board members online banking transaction capabilities? Do they ask if the board has proper internal controls? Dual Controls in online banking Multiple user approval features and approval levels Questions to ask your Banker

28 User level functionality that allows you to set access and limits per the needs of the user along with managing what the user can see. notifications – Have your balances changed? Questions to ask your Banker

29 Out of Band verification for ACH and Wire transactions when funds are leaving your account. Does your bank provide a layered security? Questions to ask your Banker

30 Control: Out-of-Band Authentication Enhanced Multi-Factor Authentication 1. User logs in with their Username and Password Something you know

31 2. User is prompted to select channel for delivery of One Time Password (OTP) Something you have * Control: Out-of-Band Authentication Because of multi-factor authentication, fraudster can not independently log into a user account. Fraudster would need to know username/password AND have the users phone. *

32 Require secondary approval of transactions or key changes with OTP Control: Transaction Verification

33 Immediate fraud identification, reporting and escalation is required. Commercial Clients have a duty to secure their information. Losses due to commercial client negligence can possibly result in a loss to the client. Consumer v.s. Commercial Banking fraud

34 Bank should call to verify whether a transaction is authentic:  The call should go to someone other than the person who initiated the transaction  Call should be confirmed by a “PIN” Control: Callbacks

35 Reporting periods for are based on the method of fraud and other circumstances. Check with your bank and ask for their specific reporting criteria. Millions can be lost in minutes so don’t delay! Contact your bank and make them aware of the cyber theft. Immediate reporting is critical to the success of recovering and mitigating losses when fraud occurs due to the timeframes set by the Federal Reserve, UCC or NACHA Consumer v.s. Commercial Banking fraud

36 Reg E – Provides Consumer Protection. Consumers enjoy much more protection from cyber theft or banking fraud. There is less of a burden for consumers and more on Commercial Businesses Consumer Protection

37 Monitor your account and audit your NACHA files for fraudulent activity. Collectively participate in your own - Information Security There is varying case laws with commercial client breaches – each situation is unique Commercial Clients

38 MOST IMPORTANTLY, if you think you have clicked, open or downloaded a virus or software program, notify your supervisor and/or IT staff immediately The longer you wait, the more damage can occur!!! Prevention Methods continued

39 FDIC - website (www.fdic.gov) offers a wealth of information on this and related topicswww.fdic.gov FDIC - has produced an excellent video “Don’t be an Online Victim” which can be found on YouTube Additional Resources

40 “ The world isn’t run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of data. “ Sneakers (1992) Kris Gjylameti


Download ppt "Fraud Protections, Cyber-Theft and Controls By: David T. Schwindt, CPA RS PRA."

Similar presentations


Ads by Google