1 / 28

2010 FIBA Conference The Bank Fraud Reality: Experiences and Perspectives of U.S. Banks

2010 FIBA Conference The Bank Fraud Reality: Experiences and Perspectives of U.S. Banks. Michael B. Benardo Cyber Fraud and Financial Crimes Section Chief Division of Supervision and Consumer Protection Federal Deposit Insurance Corporation. Outline. Phishing

ojal
Download Presentation

2010 FIBA Conference The Bank Fraud Reality: Experiences and Perspectives of U.S. Banks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2010 FIBA ConferenceThe Bank Fraud Reality:Experiences and Perspectives of U.S. Banks Michael B. Benardo Cyber Fraud and Financial Crimes Section Chief Division of Supervision and Consumer Protection Federal Deposit Insurance Corporation

  2. Outline • Phishing • Corporate Account Takeover Risks • Third Party Payment Processor Risks • Mobile Banking Risks

  3. Phishing

  4. Phishing • An e-mail that looks like it is from a legitimate source – PayPal, a financial institution, FDIC • The recipient provides personal or financial information, such as bank account or credit card numbers, passwords, date of birth, social security number • Financial loss and/or Identify theft

  5. Phishing • Skyrocketed with significant increases since mid-1990’s – ignited by Internet and PCs • Criminals moved quickly to use newer technologies – provided easy access & anonymity

  6. Typical Phishing e-mail • Urgent! • Use fear • More sophisticated than in the past

  7. Phishing and Related Threats

  8. Corporate Account Takeover Risks

  9. Corporate Account Takeovers Recent Headlines: “Cybercrooks Stalk Small Businesses that Bank Online” “European Cyber-Gangs Target Small U.S. Firms” “Broad New Hacking Attack Detected”

  10. Corporate Account Takeovers • Impacting Web-based payment origination services for business customers • Resulting from compromised banking software login credentials • Business customers • Municipalities • Churches and Religious Institutions

  11. Corporate Account Takeovers • Fraudulent EFT transactions • Automated clearing house (ACH) • Wire transfers • Crimeware (malicious software) • Trojan horse programs • Key loggers • Other spoofing techniques

  12. Corporate Account Takeovers • Awareness, education and collaboration • Financial institutions • Small businesses • Technology providers • Law enforcement agencies and banking regulators

  13. Corporate Account Takeovers • SA-147-2009: Fraudulent Electronic Funds Transfers www.fdic.gov/news/news/specialalert/2009/sa09147.html • SA-185-2009: Fraudulent Work-at-Home Funds Transfer Agent Schemes www.fdic.gov/news/news/specialalert/2009/sa09185.html

  14. Third PartyPayment Processor Risks

  15. Payment Processor Relationships • High Risk Activities • Telemarketing • On-line merchants • Payment Types • Remotely Created Checks • ACH

  16. Third Party Payment Processors • Risks • Strategic Risk • Credit Risk • Compliance Risk • Transaction Risk • Legal Risk • Reputation Risk • Financial institutions may be viewed as facilitating a payment processor’s or a merchant client’s fraudulent or unlawful activity

  17. Third Party Payment Processors Processor Due Diligence & Underwriting • Policies and procedures • Background check of processor and merchant clients • Processor approval program that extends beyond credit risk management • Authenticate the processor’s business operations and assess the risk level

  18. Third Party Payment Processors Ongoing Monitoring • Monitor higher rates of returns or charge backs • FFIEC BSA/AML Examination Manual urges financial institutions to assess and manage risk with respect to third-party payment processors • Risk management program should include procedures to monitor payment processor information (i.e., merchant data, transaction volume, charge back history)

  19. Third Party Payment Processors Red Flags • Payment processors that use more than one financial institution to process merchant client payments • One or more of the relationships may be terminated as a result of suspicious activity • Payment processor’s merchant clients are inappropriately obtaining personal account information and using it to create unauthorized RCCs or ACH debits

  20. Third Party Payment Processors When Fraudulent Activity is Suspected • File a Suspicious Activity Report • Require payment processor to cease processing for that specific merchant • Terminate financial institution’s relationship with the payment processor

  21. Mobile Banking Risks

  22. Mobile Banking • Banking: alerts, funds transfers, balance checking • Payments: payments at point of sale, domestic P2P, cross-border remittances • Prepaid on the phone

  23. Mobile Banking • P2P initiatives introduced on mobile phone gaining traction in United States: • SMS texting – convenience may drive adoption • iPhone, Droid, smartphone Apps • “Bump” phones to exchange information

  24. Mobile PaymentsHaiti Earthquake Donations • Bank agnostic payment – telecoms extending credit • Error resolution issues: • What happens if the $20 donation instruction you sent to Haiti appears as a $200 or even a $2,000 charge on your bill? • What if there is a disagreement about the error between you and your wireless carrier?

  25. Mobile PaymentsHaiti Earthquake Donations • Who regulates transaction to protect consumer from identity theft, payment fraud and other payment risks? • Charity scams – FBI and other warnings

  26. Mobile Banking/Payment Security Threats • Mobile malware and viruses • Secure access • BSA and AML – prepaid on the phone • Un-trusted applications • Authentication • Identity theft • Regulatory framework • Who owns the customer? Consumer protections?

  27. Questions?

  28. Thank you!

More Related