1 id management in financial services – may 2005 online fraud trends – staying ahead of the...
TRANSCRIPT
1 ID Management in Financial Services – May 2005
Online Fraud Trends – Staying Ahead of the
Threats
Matthew Biliouris, Information Systems Officer – NCUA
2 ID Management in Financial Services – May 2005
Credit Union Industry Statistics
0
1,000
2,000
3,000
4,000
5,000
6,000
Website Type
Interactive
Non-Interactive
Total
3 ID Management in Financial Services – May 2005
Credit Union Industry Statistics
-20.0%
-10.0%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
Interactive Non-Interactive Total
Website Growth
Jun-99
Dec-99
Jun-00
Dec-00
Jun-01
Dec-01
Jun-02
Dec-02
Jun-03
Dec-03
Jun-04
Dec-04
4 ID Management in Financial Services – May 2005
Credit Union Industry Statistics
Percentage of FICUs By Website TypeDecember 31, 2004
41.2%
14.3%3.7%
40.7% None
Informational
Interactive
Transactional
5 ID Management in Financial Services – May 2005
Credit Union Industry Statistics
FICU Assets By Website TypeDecember 31, 2004
3.5% 4.3%
90.0%
2.2%
None
Informational
Interactive
Transactional
6 ID Management in Financial Services – May 2005
Risk Assessment ProcessRisk Assessment Process
2. Understand2. UnderstandRisksRisks
3. Prioritize Risks3. Prioritize Risks
4. Develop & Implement 4. Develop & Implement Action PlansAction Plans
5. Monitor5. Monitor
1. Identify Risks1. Identify Risks
7 ID Management in Financial Services – May 2005
Security Programs
Gramm-Leach-Bliley Act – 501(b)– Outlines Specific Objectives– Requires NCUA establish standards for
safeguarding member records
8 ID Management in Financial Services – May 2005
Security Programs
Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member
Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access
Specifically Stated in §748.0(b)(2)
10 ID Management in Financial Services – May 2005
Security Programs
Appendix A – Guidelines for Safeguarding Member Information– Involvement of Board of Directors– Assess Risk– Manage & Control Risk– Oversee Service Providers– Adjust the Program– Report to the Board
11 ID Management in Financial Services – May 2005
Security Programs
Response Program Guidance– Increasing Number of Security Events– Congressional Inquiries– GLBA Interpretation– FFIEC Working Group– Revise Part 748-Add New Appendix B
12 ID Management in Financial Services – May 2005
Security Programs
Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member
Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access– Respond to Incidents of Unauthorized
Access to Member Information
14 ID Management in Financial Services – May 2005
Security Programs
Appendix B – Guidance on Response Programs– Components of a Response Program
Assessing Incident Notifying NCUA/SSA Notifying Law Enforcement Agencies Containing/Controlling Incident Notifying Affected Members
15 ID Management in Financial Services – May 2005
Security Programs
Appendix B – Guidance on Response Programs– Content of Member Notice
Account/Statement Review Fraud Alerts Credit Reports FTC Guidance
16 ID Management in Financial Services – May 2005
PART 748 APPENDIX B
Conflict with State Law – e.g., California Notice of Security Breach statute– Requires notice to California residents when
unencrypted member information is or may have been acquired by unauthorized person
– Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections
17 ID Management in Financial Services – May 2005
NCUA Expectations
Potential Questionnaire:– Incorporated into Overall Security Program– Escalation Process / Incident Response– Review of Notices – Attorney Review?– Enterprise Wide Approach– Reporting to Senior Management– Member Outreach / Awareness Programs– Employee Training Programs
19 ID Management in Financial Services – May 2005
“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”
Arthur LevittArthur Levitt
Former Chairman of the SECFormer Chairman of the SEC
Quotes
20 ID Management in Financial Services – May 2005
Phishing 101
Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.
21 ID Management in Financial Services – May 2005
Phishing 101
E-mailSpoofed addressConvincing Sense of urgencyEmbedded link (but not always)
22 ID Management in Financial Services – May 2005
Phishing Trends
Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA
23 ID Management in Financial Services – May 2005
Phishing Trends
Source: APWG Phishing Attach Trends Report - March 2005
24 ID Management in Financial Services – May 2005Source: APWG Phishing Attach Trends Report – March 2005
Phishing Trends
25 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
26 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
27 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
28 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive
Examples (June 2004)
29 ID Management in Financial Services – May 2005
Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
30 ID Management in Financial Services – May 2005
Examples (March 2004)
Source: Anti-Phishing Working Group Phishing Archive
31 ID Management in Financial Services – May 2005
Examples (May 2004)
Source: Anti-Phishing Working Group Phishing Archive
32 ID Management in Financial Services – May 2005
Training / Policy Development
Awareness
Handling complaints & reports of
suspicious e-mails/sites
Protect on-line identity of credit union
Response Plan
Phishing Action Plans – Employee Education
33 ID Management in Financial Services – May 2005
Communication Methods
Internet Banking Agreements
Newsletters
Statement Stuffers
Recordings when on “hold”
Website (FAQs / Advisories / Links)
Phishing Action Plans – Member Education
37 ID Management in Financial Services – May 2005
Content
We will never ask for xxx via e-mail
We will never alert you of xxx via e-mail
Always feel free to call us at # on statement
Always type in our site URL (see
statement / newsletter / previous bookmark)
Phishing Action Plan Ideas – Member Education
38 ID Management in Financial Services – May 2005
Content (cont’d) Sites can be convincingly copied
Report suspicious e-mails & sites
Where to get more advice on phishing
Importance of patching
How to validate site (via cert or seal)
Where to go for ID theft help
Phishing Action Plan Ideas – Member Education
39 ID Management in Financial Services – May 2005
Considerations:
Keep certificates up-to-date
Practice good domain name controls
Don’t let URLs lapse
Purchase similar URLs / Search for
similar URLs
Phishing Action Plan Ideas – Protection of CU’s Online Identity
40 ID Management in Financial Services – May 2005
NCUA
(8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions
(04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes
(05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance
FFIEC Agency Brochure
Phishing Resources
43 ID Management in Financial Services – May 2005
Inside the Examiner’s PlaybookInside the Examiner’s Playbook
Think GloballyVendor ManagementSecurity Program
(Part 748)Employee Remote
AccessRisk Assessment
Patch Management IDS/Incident
ResponseVirus Definition
UpdatesBCPFormal Policies
48 ID Management in Financial Services – May 2005
FFIEC IT Examination Handbook
Development & Acquisition
Management
Operations
Outsourcing
Retail Payment Systems
Wholesale Payment Systems
Issued: BCP Information
Security Supervision of
TSPs Audit E-Banking Fedline
52 ID Management in Financial Services – May 2005
Contact Information:
Matthew Biliouris
703-518-6394
Questions??