Fraud Alert Center
Don't let Trojans infiltrate customer cash management
ABA Journal March 2013
(Commercial Customer Article)
By Ken Procter
Late on a Friday afternoon, the day after Christmas, a large commercial bank received a file of ACH credits from one of its commercial customers, submitted through the bank’s electronic banking system. The file totaled over $400,00. Then, the following Monday afternoon, a second file of ACH credits for almost $300,000 was received by the bank from the same commercial customer. The originator of the transactions had used the proper identification and password information, and both transactions were validated according to procedures established by the bank, and, apparently, agreed upon with the customer. In this case, the bank, in addition to authenticating the user ID and password, used a sophisticated scoring model to validate the transactions. Both scored as valid, even though they were originated on days of the week that were different than such transactions were typically received from this customer; came from a different originating computer address; and were for amounts in total and individually.
It wasn’t until Tuesday afternoon that someone became aware that something was amiss. A gentleman from California called the bank’s customer to ask why he had been sent $22,000. By the time the customer notified the bank on Wednesday morning of the odd call and the bank investigated the issue, only a small portion of the stolen funds could be recovered. Of course, the customer felt the bank should reimburse it for the loss. The bank, with justification, noted that it had received the transactions from someone who logged on with proper user ID and password, and that the transaction was further validated using a procedure agreed upon by the customer. The bank refused to pay, and the customer sued. Extensive investigations by both parties determined that both bank and customer were somewhat to blame for the loss, and ultimately, the parties settled. By then, the bank had spent more than the settlement amount on attorneys and investigators. And its reputation was damaged from the negative press resulting from the lawsuit. How did it happen? Such frauds start at the customer level, with computer systems being attacked and compromised. “Cybercriminals are moving away somewhat from direct attacks on bank networks unless they discover blatant security ‘holes’ or attack vectors [that] are not secured,” says Todd Stringer, Abound Resources director of IT security. “Instead, they are exploiting weaknesses in security of the bank’s customers.” In the case of these frauds, a customer’s computer may be compromised in several ways. The employee may have visited a legitimate website that is secretly hosting a malware; a site designed to host the malware; or a legitimate site hosting the malware in an advertisement. In many cases, the computer user opens what appears to be a legitimate email and clicks on a link that connects him to the site hosting the malware, typically a Trojan (short for “Trojan Horse”). The Trojan is downloaded to the customer’s computer and begins logging keystrokes, and recording passwords and IDs. It also may generate challenge-response questions (“What city were you born in,” etc.) when the customer visits various websites. (Zeus Trojans are known for targeting banking information.) The Trojan will transfer the user’s log-in ID, password, date of birth and other security information to the cyber thieves, who use it to fraudulently access the bank’s systems. The Trojan may also alert the cyber thieves when the customer is logged onto the bank’s cash management system. The criminals then hijack the session and submit fraudulent payment information to the bank. The Trojan may check the account balance, and if it is over a certain amount, it will determine how much to seal within a limit so as not to trigger automatic fraud-detection alarms. The money is transferred to bank accounts of so-called “money mules,” which are typically people who have been recruited by criminals or innocent parties who have had their own bank accounts compromised by the criminals. From there, the money is then transferred to accounts in other countries that are controlled by the cyberthieves. The fraud described at the beginning of the article was by no means an isolated event. Since it first appeared in 2007, the Zeus Trojan and variants have caused millions in losses to banks and their business customers. Recently, a variation of the attack has been used to exploit business customers’ email. A community bank suffered a loss of almost $500,000, because it executed wire transfers based on email instructions received from a customer (supposedly) that turned out to be fraudulent. The emails appeared genuine to the bank, since the criminals had compromised the customer’s email account. They were addressed to the bank employee who typically managed transactions with the customer, addressed the employee by name and included other personal information. Protecting Bank and Customer Many banks employ sophisticated third-party services to protect against these types of attacks. These include cloud-based secure sites; encrypted transmissions passwords; biometric devices (like thumbprint and retina scanners attached to customer computers); and USB “keys” that must be inserted into the computer at the time the transaction is originated, and which incorporate tests and one-time passwords. Use these security procedures where appropriate. As regulators and security experts agree, the strongest security systems include something the user “has” (a key), something “they are” (biometrics), and something “they know” (passwords and IDs, recognition of preselected pictures and icons). However , no level of technology can totally eliminate the human element from the security process. As described earlier, the bank used a sophisticated scoring model to authenticate electronic transactions. Unfortunately, it set the score too high for considering a transaction suspect, and did not include vital criteria in the scoring model. How to Beat the Trojan “Sometimes, the old ways are the best,” says a character in the recent movie Skyfall to James Bond. With that in mind, here are a few steps to take. Contracts. A contract is essential between the bank and its customers who use cash-management services-including those who only send wire transfers and may not use the cash-management system to transmit the wire instructions to the bank. All too often, banks have no customer agreements documenting the procedures for transmitting, receiving and authenticating wire-transfer instructions. Or, at best, they have poorly worded ACH agreements.In 1994, Section 4a was added to the Uniform Commercial Code, specifically revised to address the transmittal and authentication of electronic-payment orders, such as wire transfers and ACH files. The significance of this: If a bank provides customers a “commercially reasonable security procedure” for authenticating these orders, the customer agrees in writing with the procedure, and the bank follows the procedure, then the bank is insulated against loss – even if a fraudulent payment order is transmitted to and acted on by the bank.“Commercial reasonableness” of a security procedure is generally determined by considering the circumstances of the customer known to the bank, such as the size, type and frequency of payment orders normally issued by the customer; alternative security procedures offered to the customer; and security procedures in general use by customers and receiving banks processing similar transactions.A security procedure also can be considered commercially reasonable if: It was chosen by the customer after the bank offered, and the customer refused, a security procedure considered commercially responsible for that customer; and the customer expressly agrees, in writing, to be bound by any payment order issued in its name and accepted by the bank following that security procedure, whether or not it was properly authorized.Shortcut security and authentication procedures – like recognizing a customer’s voice on the phone or comparing a faxed signature to one on file – are not commercially reasonable. Worse yet, many banks don’t document the procedures in a contract signed by the customer. Customer awareness and controls. Make the customer aware of these threats and the types of security procedures they should consider. These include simple, common practices like not sharing passwords; requiring passwords to be changed frequently; restricting use of the computer used to access the bank’s cash-management system to only that purpose; and restricting the ability to access email and other websites on that computer.Provide customers the capability for dual entry of these transactions so that two people are required to execute each transaction. One customer employee would enter the transaction using her user ID and password, and then a second employee should verify it and release the transaction. Setting limits on how much money can be transferred out of the account in a given day. Restricting employees who can add new payees to the system, change payment amounts, and transfer checking account balances. Scheduling payments at the end of every workday, instead of the following morning. Other practical controls include: Since Microsoft’s Internet Explorer has been the target of many of these attacks, encourage customer to consider using a different internet browser or access the bank’s system from software operating at one of the cloud-based secure sites. “Out of bank” authentication. Even if automated security procedures are used, they can still break down or be compromised. At least for larger transactions, banks should use an “out of bank” authentication procedure. That is, if a payment instruction is received, and even authenticated through the cash-management system, an alternative method or channel should be used to authenticate the instruction.For example, require customer to transmit information regarding the payments to the bank in advance by phone, fax, or text message, or confirm them after they are transmitted by the same methods. It would be better if the bank originated these authentication procedures – for example, calling the customer bank using a predetermined phone number to confirm instructions before they are executed. Positive pay. Provide customers with positive-pay systems, so that they can see information regarding pending payments, such as incoming debits, outgoing payments, and checks to be paid and can specifically authorize payment by the bank. Test security and controls. Encourage bank customer to have someone periodically scan their systems. They should test their security controls, make sure their virus and malware-protection software is up-to-date, and make sure their internet browser’s security patches are up-to-date. The bank could offer to provide these services, but the concern is that doing so would increase the bank’s liability if the customer does ultimately have a problem. Insurance. In the almost inevitable event that something does go wrong, make sure that the bank has sufficient as well as appropriate cybercrime insurance. “Most bankers today are somewhat in the dark about how their mixture of cyberfraud and privacy related risks are covered or not covered in their insurance and fidelity-bond programs,” says Roger Haynes, executive vice-president and practice leader at William Gallagher Associates Financial Risks. He recommends that each bank review its coverage in detail, paying particular attention to the gaps where no coverage applies or especially where the limits of coverage are inadequate. Haynes continues: “Today’s legal and regulatory-notification requirements after a breach are very rigorous and expensive to fulfill. Generally, the standard sub-limited coverage available today to respond to the expenses of these notifications is woefully inadequate.” Costs go beyond what you might expect, and include paying a forensic accountant to identify the scope of the breach.
'Grandparents' scam dupes area residents
by Phillip Bock Editor: Tuesday February 5, 2013 www.presspubs.com
According to the Polk County Sheriff, several cases of the "Grandparent" scam have been reported in the county. In one recent case an elderly couple in Osceola was duped out of several thousand dollars as a result of the scam.
The "grandparent" scam is one in which an elderly person receives a call reporting a mishap that has occured in another country. The caller usually claims to be a grandchild, relative, or legal authority that requests money be sent, usually through Western Union, in order for the mishap to be fixed.
During past calls, the caller claimed to be a grandchild and begged the "grandparents" not to tell his/her parents because he was ashamed.
In some cases, the money is requested to be sent to another country altogether. In a recent Polk County case, the caller said he was in Mexico, but requested the funds be sent to Nicaragua. The caller explained that it was a holiday, so the funds would need to be sent to the consulate in Nicaragua, which would then transfer the funds to Mexico after the holiday.
"Be smart about sending money under these types of situations. Call the grandchild or their parents to find out if they are even in the county the caller claims," Sheriff Pete Johnson said. "Even if they are, don't send money without talking to someone. If you believe it to be true, contact the Consulate in the country or the State Department for assistance."
Johnson noted that, due to the nature of the scam and the funds being transferred to a different country, the money is often unrecoverable.
"Do not send money through any wire service unless you know who the receiver is and that the receiver is legitimate," he said. "Once the money is received, there is nothing we can do to get it back for you."
Security Notice - December 5, 2012
We have been notified of the following text and email scams:
- A customer received a text message stating that her online banking password had been reset – the message did not reference her bank name. A link and phone number were provided in the text if she did not request the reset. When the user contacted the number provided, she was asked for a credit card number.
- A customer received an email notice not referencing his financial institution but noting that his Neteller (NetTeller was misspelled throughout the email) profile needed to be updated for security purposes and to avoid interruption. There was a link provided in the email that would have enable malware if selected.
If you are questioning the validity of any text or email that appears to be from Community Pride Bank or regarding your account with us, please contact the Bank at (763) 862-6500.
Bogus emails purportedly sent by the Visa/Mastercard “Identity Theft Department” are targeting the cards’ users by trying to convince them that a “security incident” has put their online banking and credit card credentials at risk, Help Net Security reported September 27. Unfortunately for those users who click a link included in the emails, the destination page is a phishing page. “Although the fake form is not hosted on a secure (https) site as all genuine online financial transactions would be, the scammers have made an attempt to make the process seem more authentic by providing a typical image based security code field,” Hoax-Slayer reported. Users who enter the requested details will then be taken to further fake pages that request more financial and personal details. All information submitted on the bogus form will be sent to online criminals and used to make fraudulent transactions in the victim‘s name. Read more.
'Refund' Scam Trolling for Bank Data
The Star Tribune recently published an article regarding a ‘refund’ scam that is trolling for bank data. Access it here. If you have any questions or concerns, please contact a Bank Representative at: (763) 862-6500.
Please be aware that there are fraudulent emails being circulated with “Netteller Direct Deposit Important Notice!!!” as the subject. You will never receive any unsolicited email from Community Pride Bank and any legitimate emails will always have your personalized “security phrase” or “email subject.”
Also, if you receive any unsolicited emails appearing to be from NACHA or the FDIC, please DO NOT open the email or any other attachments. The emails may be fraudulent and potentially harmful. The FDIC does not issue unsolicited emails to consumers or business account holders.
There are fraudulent messages being sent via phone, internet, social media and texts concerning a government program that offers to pay or assist you with your utility bills. If consumers provide the requested information, they are in turn given fraudulent banking information and told to pay their bills using the fraudulent information, which will result in the payment being rejected and the utility accounts may be negatively impacted.
Currently, there are no government programs that will contact you concerning your utility bills. If you receive messages concerning this, please do not respond to the messages. They may ask for your bank account information or personal information; however, we advise you to not provide such information.
Please be aware that some of our customers have reported receiving a fraudulent pop-up regarding a data security breach while using our website. The pop-up appears to be linked with Community Pride Bank, but it is not. THIS IS A SCAM. Do not click the link to access your credit report nor provide any confidential information.
Here is an example of what our customers have received:
Attention cpride.com Visitor,
Data Security Breach Information
We want to make you aware of a situation that has occurred that could be related to your personal information. Recently, there was a massive system breach at Epsilon, a third party vendor that supplies marketing services to a number of companies, including Best Buy, Chase, Citi, Disney, US Bank, Marriott, Home Shopping Network and many others. Files containing personal information were compromised.
Names, email addresses and some personal information was exposed. Because of the increased risk of identity theft, we are urging you to check your credit report for any activity that you did not authorize.
We want to help protect you against this data breach, by offering you access to your credit score for free. This offer is available on Tuesday, July 10, 2012. Please be aware that although your credit score is free, a credit card will be required to validate your identity.
Click Here to access your Credit Report
*Please Note: Your updated Credit Score is available for FREE today, Tuesday, July 10, 2012. Your credit score is updated on a monthly basis. This page is neither affiliated nor sponsored by cpride.com.
What you should do if you receive such a message:
- Do NOT click on anything within the pop-up
- Run an anti-virus program
- Run a spyware program
- Clear your cache
Your Private Information
We take your private information seriously and will never contact you via a pop-up, phone, email or text to ask you for your private information. If you have any concerns or suspicions about a message from Community Pride Bank, please contact us immediately at: (763) 862-6500.