1 / 52

Online Fraud Trends – Staying Ahead of the Threats

Online Fraud Trends – Staying Ahead of the Threats. Matthew Biliouris, Information Systems Officer – NCUA. Credit Union Industry Statistics. Credit Union Industry Statistics. Credit Union Industry Statistics. Credit Union Industry Statistics. 1. Identify Risks. 2. Understand Risks.

nigel-west
Download Presentation

Online Fraud Trends – Staying Ahead of the Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Fraud Trends – Staying Ahead of the Threats Matthew Biliouris, Information Systems Officer – NCUA ID Management in Financial Services – May 2005

  2. Credit Union Industry Statistics

  3. Credit Union Industry Statistics

  4. Credit Union Industry Statistics

  5. Credit Union Industry Statistics

  6. 1. Identify Risks 2. Understand Risks 5. Monitor 4. Develop & Implement Action Plans 3. Prioritize Risks Risk Assessment Process

  7. Security Programs • Gramm-Leach-Bliley Act – 501(b) • Outlines Specific Objectives • Requires NCUA establish standards for safeguarding member records

  8. Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Specifically Stated in §748.0(b)(2)

  9. Security Programs • Appendix A – Guidelines for Safeguarding Member Information • Involvement of Board of Directors • Assess Risk • Manage & Control Risk • Oversee Service Providers • Adjust the Program • Report to the Board

  10. Security Programs • Response Program Guidance • Increasing Number of Security Events • Congressional Inquiries • GLBA Interpretation • FFIEC Working Group • Revise Part 748-Add New Appendix B

  11. Security Programs • Credit Unions Must Have Process in Place to: • Ensure Security & Confidentiality of Member Records • Protect Against Anticipated Threats or Hazards • Protect Against Unauthorized Access • Respond to Incidents of Unauthorized Access to Member Information

  12. Security Programs • Appendix B – Guidance on Response Programs • Components of a Response Program • Assessing Incident • Notifying NCUA/SSA • Notifying Law Enforcement Agencies • Containing/Controlling Incident • Notifying Affected Members

  13. Security Programs • Appendix B – Guidance on Response Programs • Content of Member Notice • Account/Statement Review • Fraud Alerts • Credit Reports • FTC Guidance

  14. PART 748 APPENDIX B • Conflict with State Law – e.g., California Notice of Security Breach statute • Requires notice to California residents when unencrypted member information is or may have been acquired by unauthorized person • Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections

  15. NCUA Expectations • Potential Questionnaire: • Incorporated into Overall Security Program • Escalation Process / Incident Response • Review of Notices – Attorney Review? • Enterprise Wide Approach • Reporting to Senior Management • Member Outreach / Awareness Programs • Employee Training Programs

  16. “Phishing”

  17. Quotes • “…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…” Arthur Levitt Former Chairman of the SEC

  18. Phishing 101 • Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.

  19. Phishing 101 • E-mail • Spoofed address • Convincing • Sense of urgency • Embedded link (but not always)

  20. Phishing Trends Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA

  21. Phishing Trends Source: APWG Phishing Attach Trends Report - March 2005

  22. Phishing Trends Source: APWG Phishing Attach Trends Report – March 2005

  23. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  24. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  25. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  26. Examples (June 2004) Source: Anti-Phishing Working Group Phishing Archive

  27. Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive

  28. Examples (March 2004) Source: Anti-Phishing Working Group Phishing Archive

  29. Examples (May 2004) Source: Anti-Phishing Working Group Phishing Archive

  30. Phishing Action Plans – Employee Education Training / Policy Development • Awareness • Handling complaints & reports of suspicious e-mails/sites • Protect on-line identity of credit union • Response Plan

  31. Phishing Action Plans – Member Education Communication Methods • Internet Banking Agreements • Newsletters • Statement Stuffers • Recordings when on “hold” • Website (FAQs / Advisories / Links)

  32. Action Plan Ideas - Education

  33. Action Plan Ideas - Education

  34. Action Plan Ideas - Education

  35. Phishing Action Plan Ideas – Member Education Content • We will never ask for xxx via e-mail • We will never alert you of xxx via e-mail • Always feel free to call us at # on statement • Always type in our site URL (see statement / newsletter / previous bookmark)

  36. Phishing Action Plan Ideas – Member Education Content (cont’d) • Sites can be convincingly copied • Report suspicious e-mails & sites • Where to get more advice on phishing • Importance of patching • How to validate site (via cert or seal) • Where to go for ID theft help

  37. Phishing Action Plan Ideas – Protection of CU’s Online Identity Considerations: • Keep certificates up-to-date • Practice good domain name controls • Don’t let URLs lapse • Purchase similar URLs / Search for similar URLs

  38. Phishing Resources NCUA • (8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions • (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes • (05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance • FFIEC Agency Brochure

  39. Action Plan Ideas - Education

  40. Action Plan Ideas - Education

  41. Think Globally Vendor Management Security Program (Part 748) Employee Remote Access Risk Assessment Patch Management IDS/Incident Response Virus Definition Updates BCP Formal Policies Inside the Examiner’s Playbook

  42. 44

  43. 45

  44. 46

  45. FFIEC IT Handbook

  46. FFIEC IT Examination Handbook Issued: • BCP • Information Security • Supervision of TSPs • Audit • E-Banking • Fedline • Development & Acquisition • Management • Operations • Outsourcing • Retail Payment Systems • Wholesale Payment Systems

  47. 49

  48. 50

More Related