Online Fraud Trends

1
Online Fraud Trends Staying Ahead of the Threats

• Matthew Biliouris, Information Systems Officer
  NCUA

2
Credit Union Industry Statistics
3
Credit Union Industry Statistics
4
Credit Union Industry Statistics
5
Credit Union Industry Statistics
6
Risk Assessment Process
7
Security Programs

• Gramm-Leach-Bliley Act 501(b)
• Outlines Specific Objectives
• Requires NCUA establish standards for
  safeguarding member records

8
Security Programs

• Credit Unions Must Have Process in Place to
• Ensure Security Confidentiality of Member
  Records
• Protect Against Anticipated Threats or Hazards
• Protect Against Unauthorized Access
• Specifically Stated in 748.0(b)(2)

9
(No Transcript)
10
Security Programs

• Appendix A Guidelines for Safeguarding Member
  Information
• Involvement of Board of Directors
• Assess Risk
• Manage Control Risk
• Oversee Service Providers
• Adjust the Program
• Report to the Board

11
Security Programs

• Response Program Guidance
• Increasing Number of Security Events
• Congressional Inquiries
• GLBA Interpretation
• FFIEC Working Group
• Revise Part 748-Add New Appendix B

12
Security Programs

• Credit Unions Must Have Process in Place to
• Ensure Security Confidentiality of Member
  Records
• Protect Against Anticipated Threats or Hazards
• Protect Against Unauthorized Access
• Respond to Incidents of Unauthorized Access to
  Member Information

13
(No Transcript)
14
Security Programs

• Appendix B Guidance on Response Programs
• Components of a Response Program
• Assessing Incident
• Notifying NCUA/SSA
• Notifying Law Enforcement Agencies
• Containing/Controlling Incident
• Notifying Affected Members

15
Security Programs

• Appendix B Guidance on Response Programs
• Content of Member Notice
• Account/Statement Review
• Fraud Alerts
• Credit Reports
• FTC Guidance

16
PART 748 APPENDIX B

• Conflict with State Law e.g., California Notice
  of Security Breach statute
• Requires notice to California residents when
  unencrypted member information is or may have
  been acquired by unauthorized person
• Gramm Leach Bliley Preemption Standards no
  intent to preempt where state law provides
  greater consumer protections

17
NCUA Expectations

• Potential Questionnaire
• Incorporated into Overall Security Program
• Escalation Process / Incident Response
• Review of Notices Attorney Review?
• Enterprise Wide Approach
• Reporting to Senior Management
• Member Outreach / Awareness Programs
• Employee Training Programs

18
Phishing
19
Quotes

• The use of digital media also can lend
  fraudulent material an air of credibility.
  Someone with a home computer and knowledge of
  computer graphics can create an attractive,
  professional-looking Web site, rivaling that of a
  Fortune 500 company

Arthur Levitt Former Chairman of the SEC
20
Phishing 101

• Phishing uses e-mail to lure recipients to bogus
  websites designed to fool them into divulging
  personal data.

21
Phishing 101

• E-mail
• Spoofed address
• Convincing
• Sense of urgency
• Embedded link (but not always)

22
Phishing Trends
Anti-Phishing Working GroupIndustry association
focused on eliminating the identity theft and
fraud that result from the growing problem of
phishing and email spoofing. APWG Members- Over
400 members- Over 250 companies- 8 of the top
10 US banks- 4 of the top 5 US ISPs- Over 100
technology vendors- Law enforcement from
Australia, CA, UK, USA
23
Phishing Trends
Source APWG Phishing Attach Trends Report -
March 2005
24
Phishing Trends
Source APWG Phishing Attach Trends Report
March 2005
25
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
26
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
27
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
28
Examples (June 2004)
Source Anti-Phishing Working Group Phishing
Archive
29
Examples (March 2004)
Source Anti-Phishing Working Group Phishing
Archive
30
Examples (March 2004)
Source Anti-Phishing Working Group Phishing
Archive
31
Examples (May 2004)
Source Anti-Phishing Working Group Phishing
Archive
32
Phishing Action Plans Employee Education

• Training / Policy Development
• Awareness
• Handling complaints reports of suspicious
  e-mails/sites
• Protect on-line identity of credit union
• Response Plan

33
Phishing Action Plans Member Education

• Communication Methods
• Internet Banking Agreements
• Newsletters
• Statement Stuffers
• Recordings when on hold
• Website (FAQs / Advisories / Links)

34
Action Plan Ideas - Education
35
Action Plan Ideas - Education
36
Action Plan Ideas - Education
37
Phishing Action Plan Ideas Member Education

• Content
• We will never ask for xxx via e-mail
• We will never alert you of xxx via e-mail
• Always feel free to call us at on statement
• Always type in our site URL (see statement /
  newsletter / previous bookmark)

38
Phishing Action Plan Ideas Member Education

• Content (contd)
• Sites can be convincingly copied
• Report suspicious e-mails sites
• Where to get more advice on phishing
• Importance of patching
• How to validate site (via cert or seal)
• Where to go for ID theft help

39
Phishing Action Plan Ideas Protection of CUs
Online Identity

• Considerations
• Keep certificates up-to-date
• Practice good domain name controls
• Dont let URLs lapse
• Purchase similar URLs / Search for similar URLs

40
Phishing Resources

• NCUA
• (8/03) LTR 03-CU-12 Fraudulent Newspaper
  Advertisements, and Websites by Entities Claiming
  to be Credit Unions
• (04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes
• (05/04) LTR 04-CU-06 E-Mail Internet Related
  Fraudulent Schemes Guidance
• FFIEC Agency Brochure

41
Action Plan Ideas - Education
42
Action Plan Ideas - Education
43
Inside the Examiners Playbook

• Think Globally
• Vendor Management
• Security Program (Part 748)
• Employee Remote Access
• Risk Assessment

• Patch Management
• IDS/Incident Response
• Virus Definition Updates
• BCP
• Formal Policies

44
44
45
45
46
46
47
FFIEC IT Handbook
48
FFIEC IT Examination Handbook

• Development Acquisition
• Management
• Operations
• Outsourcing
• Retail Payment Systems
• Wholesale Payment Systems

• Issued
• BCP
• Information Security
• Supervision of TSPs
• Audit
• E-Banking
• Fedline

49
49
50
50
51
51
52
Questions??
Contact Information Matthew Biliouris 703-518-639
4 matthewb_at_ncua.gov