520 likes | 656 Views
Online Fraud Trends – Staying Ahead of the Threats. Matthew Biliouris, Information Systems Officer – NCUA. Credit Union Industry Statistics. Credit Union Industry Statistics. Credit Union Industry Statistics. Credit Union Industry Statistics. 1. Identify Risks. 2. Understand Risks.
E N D
Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA ID Management in Financial Services – May 2005
1. Identify Risks 2. Understand Risks 5. Monitor 4. Develop & Implement Action Plans 3. Prioritize Risks Risk Assessment Process
Security Programs • Gramm-Leach-Bliley Act – 501(b) • Outlines Specific Objectives • Requires NCUA establish standards for safeguarding member records
Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Specifically Stated in §748.0(b)(2)
Security Programs • Appendix A – Guidelines for Safeguarding Member Information • Involvement of Board of Directors • Assess Risk • Manage & Control Risk • Oversee Service Providers • Adjust the Program • Report to the Board
Security Programs • Response Program Guidance • Increasing Number of Security Events • Congressional Inquiries • GLBA Interpretation • FFIEC Working Group • Revise Part 748-Add New Appendix B
Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Respond to Incidents of Unauthorized Access to Member Information
Security Programs • Appendix B – Guidance on Response Programs • Components of a Response Program • Assessing Incident • Notifying NCUA/SSA • Notifying Law Enforcement Agencies • Containing/Controlling Incident • Notifying Affected Members
Security Programs • Appendix B – Guidance on Response Programs • Content of Member Notice • Account/Statement Review • Fraud Alerts • Credit Reports • FTC Guidance
PART 748 APPENDIX B • Conflict with State Law – e.g., California Notice of Security Breach statute • Requires notice to California residents when unencrypted member information is or may have been acquired by unauthorized person • Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections
NCUA Expectations • Potential Questionnaire: • Incorporated into Overall Security Program • Escalation Process / Incident Response • Review of Notices – Attorney Review? • Enterprise Wide Approach • Reporting to Senior Management • Member Outreach / Awareness Programs • Employee Training Programs
Quotes • “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC
Phishing 101 • Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.
Phishing 101 • E-mail • Spoofed address • Convincing • Sense of urgency • Embedded link (but not always)
Phishing Trends Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA
Phishing Trends Source: APWG Phishing Attach Trends Report - March 2005
Phishing Trends Source: APWG Phishing Attach Trends Report – March 2005
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive
Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive
Phishing Action Plans – Employee Education Training / Policy Development • Awareness • Handling complaints & reports of suspicious e-mails/sites • Protect on-line identity of credit union • Response Plan
Phishing Action Plans – Member Education Communication Methods • Internet Banking Agreements • Newsletters • Statement Stuffers • Recordings when on “hold” • Website (FAQs / Advisories / Links)
Phishing Action Plan Ideas – Member Education Content • We will never ask for xxx via e-mail • We will never alert you of xxx via e-mail • Always feel free to call us at # on statement • Always type in our site URL (see statement / newsletter / previous bookmark)
Phishing Action Plan Ideas – Member Education Content (cont’d) • Sites can be convincingly copied • Report suspicious e-mails & sites • Where to get more advice on phishing • Importance of patching • How to validate site (via cert or seal) • Where to go for ID theft help
Phishing Action Plan Ideas – Protection of CU’s Online Identity Considerations: • Keep certificates up-to-date • Practice good domain name controls • Don’t let URLs lapse • Purchase similar URLs / Search for similar URLs
Phishing Resources NCUA • (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions • (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes • (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance • FFIEC Agency Brochure
Think Globally Vendor Management Security Program (Part 748) Employee Remote Access Risk Assessment Patch Management IDS/Incident Response Virus Definition Updates BCP Formal Policies Inside the Examiner’s Playbook
FFIEC IT Examination Handbook Issued: • BCP • Information Security • Supervision of TSPs • Audit • E-Banking • Fedline • Development & Acquisition • Management • Operations • Outsourcing • Retail Payment Systems • Wholesale Payment Systems