A Look Forward

Using machine learning is essential to providing depth to a security program where humans might be exploited.

Bouncing fraudulent transactions through multiple “mule” accounts before ultimately transferring those funds out of the country is nothing new. Crooks want to stay as far away from the trail of dirty money as possible, making money mules the perfect way to cover their tracks.

Reported instances of money mule use in fraud cases have never been higher at Q2. The scenario works like this: An account holder falls victim to some flavor of online scam, be it romance, elderly, work from home; take your pick. The victim is coerced into receiving funds into their account with specific instructions to transfer them back out of the account essentially immediately. These situations occur much more often than you may think and are particularly difficult to defend against, as the institution’s actual account holder is initiating the transactions.

This is where transaction monitoring using behavioral analytics comes in. The moment “Authorize” is clicked on the outgoing transfer, Q2’s proprietary Risk and Fraud Analytics (RFA) engine immediately scrutinizes that transaction. In the case of the money mule fraud scheme, the recipient account is a new recipient to that account holder. As this particular end user has never transferred funds to the recipient before, this transaction—which appears suspicious based on the user’s history—will be stopped by RFA.

Just this week, we saw this exact scenario play out in a case reported to the Q2 Fraud team. RFA blocked an outgoing transfer and, upon callback, the customer service representative discovered the account holder was working under instructions related to an exciting new online work-from-home opportunity. Recognizing this as a scam, the institution canceled the outgoing transaction to prevent a loss.

If there is a moral to this anecdote, it’s that security awareness is not perfect. Humans will inevitably fall victim to the constant online hustle of the cyber crook. Combining machine learning with education and awareness training is key to a well-rounded defense. Leveraging a layered security model with the technology of algorithmic intelligence at its backbone provides the security depth needed when the human element is exploited.

As we move past Cyber Security Awareness month, it’s essential to maintain the mindset that security is not a “set it and forget it” practice. The threat landscape is constantly evolving, and we as security practitioners must continually work to keep pace. Looking forward, expect to see continually innovative security solutions being developed as we at Q2 work to provide our institutions with the tools you need to keep the upper hand.

*RFA is now known as Q2 Sentinel.

10 security tips your account holders need to hear

As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders

As we move into Cyber Security Awareness Month, we’ve assembled a list of security awareness tips that should be top of mind for account holders doing any type of online banking, or even just accessing the Internet in general. Many of these are likely things you have heard before, but a little repetition can go a long way. As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders:

  1. Take infections seriously; a virus may not just be a virus. Most of us, if we’re honest, have probably been guilty of thinking that if our PC gets infected with something, it’s not that big of a deal—that’s what our IT department is for, after all. They’ll have whatever the latest nasty bug we’ve contracted wiped from our machine and we’ll be back on track in no time… right? Wrong. These things are not named after scary critters for no reason—they are serious and have serious implications. Think about the effect financial malware can have on your personal finances or to your small business’s network immediately upon download.
  2. Control access to your machine. Think twice before walking away from your computer to get that third cup of coffee without first locking it. Even worse is leaving your machine unattended in public, or in the backseat of your car during happy hour. Malicious physical access to devices can be an overlooked attack vector. It’s amazing how quickly files can be dumped or unintended access to sensitive information gained during a quick few minutes away from your machine.
  3. Trust but verify: if it sounds too good to be true, it probably is. Don’t fall prey to schemes that play on your natural inclination to trust. Being trusting is not necessarily a bad thing, but it’s important to verify before taking action. Be wary of things like employment offers to make a quick buck, claims that you are a lucky winner of something, or limited time offers to cash in on an opportunity. Simply put: if it sounds too good to be true, don’t be too quick to believe it.
  4. Don’t use insecure Wi-Fi or unknown machines for banking. Sensitive online activity, such as online banking, should only be conducted from a device that belongs to you on a trusted network. Paying a few bills while you’re sipping your favorite latte at a local coffee shop may seem innocent enough, but what do you really know about others who are connected to that public Wi-Fi? Sniffing traffic on a public Wi-Fi connection can be shockingly simple, and can leave everything you are doing on that network free for the taking.
  5. “TMI” – Don’t overshare on social media. We may all be guilty of sharing too much information (TMI) at times. Don’t let social media be your outlet for sharing “TMI” about yourself to millions of people all over the world. Social media outlets are information gold-mines for anyone who may be looking to learn more about their next victim. Knowing where you vacation, the name of your pet, and your mother’s maiden name may come in quite handy for someone attempting to impersonate you.
  6. If you’ve got it, update it. If you don’t need it, delete it. Updating your software is not something you should do only when your machine slows to an unbearable crawl because it hasn’t been updated in months. Installing the latest versions of software ensures that what you are running has the latest security patches and keeps you protected. Update your software as soon as new releases are announced, and delete any unnecessary programs on your devices that you don’t need in day-to-day business. Installing lots of nonessential software just provides increased exposure points for you and your information.
  7. Scrutinize your email. Many of us comb through hundreds of emails every day, and clicking through and opening these emails is second nature. However, email is one of the most common attack vectors and is a quick and easy way for attackers to drop malware onto your PC or mobile device, or to trick you into providing sensitive information. Pay close attention to any emails that appear to come from slightly odd senders, and be extremely wary of any email requesting you to provide or confirm sensitive information. Your financial institution should never ask you to confirm or provide any type of personal information via email. Report suspicious emails to your employer and delete them completely without opening or clicking any contained links.
  8. Be mindful of what you plug in. Throwing files onto a USB drive can be a quick and easy way to share information. However, it’s also a quick and easy way to spread malware. Only plug removable media that you know and trust into your devices, and never share these storage devices amongst multiple parties.
  9. Knowledge really is power. When it comes to online banking, it pays to be in the know. Use your financial institution’s real time alerts to keep yourself aware of anything that is going on in your account that may not be normal. Setting these alerts to deliver to multiple targets (voice calls, SMS text messages, and email) can help ensure their safe and quick delivery. Notify your financial institution immediately if you receive an alert regarding activity you did not generate.
  10. Get away from the “that can’t happen to me” mindset and prepare yourself. Live by the adage that it’s better to be safe than sorry. Believing that “it can’t happen to you” is a very risky position to take. Educate yourself on security precautions that you can take to prevent yourself or your business from becoming a victim. Work to spread the word of online safety to your friends, colleagues and families and be proactive in putting security measures into place.


Cyber security and the threat landscape are constantly evolving, and keeping your institution and your account holders as secure as possible requires their participation. Use October to stress the importance of cyber security and remind your account holders of their own role in keeping themselves safe.

When trust turns sour: The threat of social engineering attacks to your institution

Tips to building a successful defense strategy

Hunter S. Thompson once said, “I am a generous man, by nature, and far more trusting than I should be. The real world is risky territory for people with generosity of spirit. Beware.”

This quote could not be truer or resonate more today, especially when discussing the topic of social engineering attacks in the financial sector.


“The real world is risky territory for people with generosity of spirit” is incredibly accurate if you think about it. The unfortunate truth is that, as humans, our natural inclination is to trust and to look for the good in people—particularly in the case of individuals working in customer service positions. Unfortunately, this makes us easy prey for fraudsters. Trusting, helpful human spirits are the low hanging fruit. Attacks aimed at humans don’t require an attacker to place malware on a device or inject anything into a browser—often all it takes is a simple phone call into the back office. With just a few nuggets of information about an end user, fraudsters often have all of the necessary tools to convince a financial institution’s (FI’s) employee to readily “help” them.

While we all would like to think that our staff will not fall for such schemes, I’d caution that the shift in transaction amounts occurring in such attacks are raising fewer and fewer eyebrows. Why? In many cases fraudsters are moving toward initiating smaller transactions—generally less than $10K—rather than high-dollar amount wires, so as not to gain unwanted attention. These smaller dollar amount transactions are bounced through multiple mule accounts before ultimately leaving the country.

Particularly where social engineering is concerned, we have seen a 63 percent increase in fraud cases reported to Q2, when comparing only the first quarter of this year to all of 2014. That’s a dramatic upsurge in just three months, as compared to
the prior 12.

At a high level, these reports consist of phone calls, faxes or emails into the back office attempting to generate transactions or change sensitive information on an end user’s account. And, with the amount of personal and company information available and accessible on the internet, the reality is that these scams are not difficult to pull off.

As we look to the future, a combination of factors will continue to contribute to fraudsters’ use of social engineering as an attack of choice, to name just a few:

  • The shift toward Europay, MasterCard and Visa (EMV), and the reduction of fraud via the reselling of reproduced cards.
  • The continued evolution of anomaly detection anti-fraud tools catching transactions generated online.
  • The fact that these attacks really are just too easy, as they rely simply on trusting human nature.


Building a successful defense strategy for these types of attacks ultimately comes down to consistent training and testing of employees’ reactions to a variety of challenging scenarios. The Q2 Security team has built a targeted, customized Social Engineering Testing service designed to pressure employees in scenarios we’ve seen used in actual fraud cases. The reality is that we truly don’t know how staff will react to these types of schemes until they are faced with the situation in a real-world scenario. Trust itself is not a bad thing, however, encouraging a culture of “trust, but verify” may just pay off in the long run.

What cyber security lessons were learned in 2014?

Arguably, 2014 will be remembered as a year that left its mark on the state of cyber security across the industry. From massive retail data breaches to cyber attacks waged by nation states against organizations, the widespread impacts led to unprecedented repercussions. These types of attacks can cause brand damage, increased audit scrutiny and significant loss of market share. Let’s take a closer look at what we saw in 2014.

Massive Retail Breaches

2014 was a record year for retail data breaches – at least in terms of number of records lost. Between Home Depot, Target and JP Morgan Chase, nearly every American felt the impact in some way, shape, or form. And while the large retailers occupied the mainstream headlines, a slew of small and mid-size retailers experienced similar breaches. POS (Point-of-Sale) systems became a popular target for criminals, as they obviously play a significant role in processing financial transactions. This, coupled with the increased demand for stolen credit cards, had a significant impact on the surge of malware targeting POS systems. Until merchants and manufactures get serious about securing these terminals and their networks, they will remain a rich target for cyber criminals.

Sophisticated Banking Trojans

An underground market once dominated by ZeuS, Carberp, Citadel and SpyEye has given birth to more advanced variants and copycats boasting additional functionality and capabilities. In 2013 nearly a million new banking malware variants were uncovered, which more than doubled the volume of the previous year.  Institutions amped up their security to protect against these threats, but the rise of banking malware continued into 2014 as fraudsters tried to stay one step ahead. Last year we were introduced to Kronos, Emotet, Dridex and Dyre. Although core functionality (e.g. stealing online banking credentials) still existed, these newer variants included enhancements in the form of anti-detection techniques and intelligent communication mechanisms.

Surges in Crypto-malware

Researchers observed a global surge in the occurrence of crypto-malware families such as CryptolockerCryptodefense and Cryptowall. Cryptomalware is a particularly sinister threat that encrypts data on a compromised device and then attempts to extort money from the victim in order to have the data decrypted. Across the world, we watched as crypto-malware targeted a wide range of victims, from state governments to small towns, and large corporations to the average consumer. Faced with really no other option, most victims reluctantly paid the demanded ransom, crossing their fingers and blindly trusting their data would be restored. Unfortunately, this wasn’t always the outcome.

Attacks Aimed at the Weakest Link

The threat of attack directed towards the human element of security had been predicted. Frankly, it continues to prove to be the easiest path of resistance and yields a high rate of success. Attackers are no longer “throwing the kitchen sink” in hope the victim bites at the phish. Instead, techniques evolved as social engineering efforts became more specially crafted, targeting the victim in a manner that increased the chance the victim would divulge information or perform actions that would be unlikely in ordinary circumstances. Well-planned attempts targeted the back office at financial institutions, and fraudsters impersonated legitimate customers and coerced victimized employees into approving fraudulent transactions.

2015 and Beyond

So, what does 2015 have in store? Not surprisingly, we should probably be hedging our bets towards more of the same. However, I strongly believe institutions can tip the scale of power in their favor. Security requires vigilance and accountability. The threats we face are too pervasive to allow us to believe we can prevent them all. Financial institutions must leverage the right technology solutions that not only help defend against these threats, but also provide real-time detection. Ideally, these solutions can improve our ability to not only respond, but also remediate all types of attack. Tipping the scale, we greatly improve our chances for winning this ongoing fight.

Our Shared Responsibility: Q2 Honors National Cyber Security Awareness Month

Sponsored by the Department of Homeland Security, National Cyber Security Awareness Month celebrated its 11th year this October. Each year, this month serves as an opportunity for not only Security professionals, but also consumers, small and medium sized businesses, corporations, and financial institutions to spread awareness and share information about Cyber Security.

The theme of National Cyber Security Awareness Month for 2014 was “Our Shared Responsibility.” As we’re constantly connected to the internet, our risk of exposure to theft, fraud, and abuse is significant. Cyber Security attacks can affect our finances, identity, and privacy making it an important national security priority.

Throughout the month, Q2 presented a weekly series of Security presentations with the goal of educating its employees of not only the risks and threats the Security team sees on a daily basis, but also countermeasures they can use to protect themselves and the company. Topics such as how to recognize social engineering attempts, information about security threats such as Heartbleed and POODLE, and a demonstration of common hacking techniques were presented to Q2 employees to increase awareness of Cyber Security protection.

By the end of the month, the Q2 Security team recognized a notable increase in the awareness of Cyber Security amongst coworkers. Employees are actively reporting suspicious emails and seeking out the Security team for advice about personal Cyber Security. By opening a dialogue with our employees about the importance of Cyber Security, Q2 is helping to protect our customers, our employees, and our company.

Cyber Security awareness doesn’t end in October. We encourage you to make security-minded thinking a part of your day-to-day routine. Talk to your account holders and employees about Cyber Security awareness and security basics. Education and information are the first steps in combatting Cyber Security threats. If you have questions about Q2’s Cyber Security recommendations and best practices, please feel free to reach out to the Q2 Security team by contacting Jean Twaddell at jean.twaddell@q2ebanking.com.

Heightened FI Accountability Should Fuel Relationship Resurgence among Commercial Clients

The recent TRC Operating Co. Inc. case is only one of several creating a ripple of increased fraud awareness across businesses and their financial institutions (FIs). While it takes the vested interest of both parties to assess risk, build the fortress, and maintain safe-keeping, who’s to blame when security is compromised?

TRC’s claim of  strictly being offered a username and password – and no further security controls – ultimately resulted in a $350K settlement paid by United Security Bank. So where is the line drawn?

Businesses do not receive the same protection against cyber fraud that are afforded to consumer banking customers under Reg E. While commercial customers are typically provided enhanced security solutions, they do not receive the loss protection piece that retail account holders do – limits losses to $50, if reported within two day. As such, it’s on FIs to provide “commercially reasonable security procedures” to their business clients.

Username and password clearly do not cut the mustard as a standalone security control for commercial customers – or for that matter, any customer. Institutions are not just accountable to provide strong security options; when litigation arises, they are now being asked to prove they have attempted to offer these solutions to customers, who can then decide their own fate. This was evidenced in the recent court ruling in St. Louis that found Missouri-based title company Choice Escrow responsible for over $400K in fraud losses, after it declined [in writing] to use the security controls offered by its bank.

That being said, fraud fault does not automatically fall on FIs alone. In reality the term “commercially reasonable” when referencing security procedures is subjective. Therein the shroud of blame should be shared – and preferably prevented or squashed through tightened business/banking partnerships.

In lieu of the recent lawsuits making headlines, business owners must remain vigilant and aware of the clear and present dangers that exist, and FIs must impart themselves as the trusted advisor. To help diminish some ambiguity for business and banking partners, the UCC provides the below guidelines as to the determining factors of the “commercial reasonableness” of a security procedure:

  • What are the wishes of the customer expressed to the FI?
  • What are the circumstances of the customer known to the bank – including size, type, and frequency of payment orders normally issued by the customer to the bank?
  • What are the alternative security procedures offered to the customer?
  • What security procedures in general use by customers and receiving banks can be updated?

While “commercially reasonable” will continue to evolve with the landscape, FIs need to make the leap to a proactive security approach. Not to mention, strengthening the relationships among FIs and their commercial customers will only reinforce the barriers we’re all building against potential fraudsters.

Fighting DDoS Attacks

Addressing DDoS readiness as part of your ongoing information security program

Ever since the onslaught of distributed denial-of-service (DDos) attacks that began in late 2011, the acronym DDoS has become a household term. Once a concern only of the IT or IS departments, these attacks now have the attention of the operational functions at financial institutions. Retail banking, cash management, and back office personnel are now well aware of the damage these attacks can create, and the hysteria that can arise within their respective areas as the result of an attack.

Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement notifying financial institutions of the risks associated with continued distributed denial-of-service (DDoS) attacks on public websites. The FFIEC expects financial institutions to address DDoS readiness as part of their ongoing information security program, specifically to include:

  • Monitoring of incoming traffic to public web site(s)
  • Activating incident response plans if a DDoS attack is suspected or occurring
  • Ensuring sufficient staffing for the duration of the attack, including the use of previously contracted third-party services


The joint statement issued by Federal Financial Institutions Examination Council (FFIEC) can be viewed at the link below:


Financial institutions have begun bolstering their defenses, in hopes of mitigating the damage of DDoS attacks, or preventing them altogether. However, many are too narrowly focused on increasing bandwidth, engaging third-party traffic scrubbers, and locking down vulnerable systems that could amplify the effects of an attack. Unfortunately, while these actions may be warranted, and provide some benefits, financial institutions are still missing the bigger picture.

While there is no full-proof defense against a denial of service attack, there are several ways in which community and regional FIs can effectively mitigate the risks. How? My firm belief, based on first-hand experience, is that DDoS attacks would not be as significant a concern, if not for the prevalence of account takeover fraud. Account takeover—what does that have to do with a DDoS attack? This: criminals frequently launch DDoS attacks against financial institutions as a means of covering up transactional fraud they’ve perpetrated, or are in the process of perpetrating. Their hope is that an FI will be so focused on trying to restore online banking services, that they’ll miss a fraudulent, outbound ACH, or wire transaction.

In these scenarios, DDoS attacks represent the second half of the equation when it comes to account take over (ATO) – useful when fraud has been successfully perpetrated. However, by preventing the fraud with stronger controls, financial institutions can significantly mitigate the risk of a DDoS attack being launched against them. In other words: adequately prevent the fraud, and you’ll reduce the likelihood of a DDoS attack. So, the question begs—is your FI focused on perimeter defenses and internal infrastructure, or have you taken the time to consider implementing additional security measures to protect the customer and the institution at the transactional level? Where there’s smoke there’s fire – the fraud is the fire, the DDoS attack is the smoke.

Combatting Fraudsters

What is the right approach as the attack landscape changes?

I often get asked about my thoughts on banking from mobile devices. There’s no doubt about it: increasing demand for banking on mobile devices has become a critical component of most financial institutions’ (FIs’) offering. But my concern is that I don’t think FIs or account holders fully appreciate the potential risks of banking on mobile devices. Risks that as a CSO, I see or hear about every day.

I know a lot of industry folk claim that security professionals often hyperbolize about mobile banking threats. But here is the reality: surprisingly many mobile banking applications are often designed without proper security controls built in. Even worse, perhaps the underlying mobile operating system has flaws in its design. Look no further than the recent Apple iOS security vulnerability as an example (oh by the way, make sure to get the latest iOS update for you iPhone users). And even when the apps have proper built-in security, it may not be enough. Why? Well, as we deploy more sophisticated controls, fraudsters also adapt their techniques. Couple insufficient security with the proliferation of malware attacking mobile devices, and you have a threat that is very real and will continue to grow, evolving from running up bogus charges from cellular carriers—which is minor in comparison—to the potential of credential-stealing and theft of financial data.

Theft of financial data from mobile devices, you ask? You bet. One of the methods we are beginning to see it is through the use of malicious quick reader (QR) codes. For example, fraudsters create fake ones to convince account holders to download “new security software” from their FI. What really happens is the account holder downloads malware onto their mobile device, which then waits to intercept an out-of-band (OOB) SMS one-time-password (OTP). Once obtained, fraudsters can login as the account holder or potentially use to approve a financial transaction. Yep, from the same out-of-band SMS OTPs that we all believe to be a secure method for countering attacks. And this is just one example.

But with the right approach, I know we can defeat fraudsters. This is why I’m so passionate with FIs about establishing a multi-layered security strategy, which focuses on the entire banking session, from login and authentication thru transaction submission. In the face of a myriad of threats, layered controls should be deployed to ensure a secure banking experience. Examples include the use of OOB OTPs and tokens, behavioral modeling to detect and prevent anomalies, multi-factor authentication, and the use of dual controls.

Why layered controls? This approach ensures the weakness of one control is compensated by the strength of another. And of course, these controls cannot be set and forgotten. They must be revisted as the attack landscape changes. My question to you: Is your FI investigating or using a multi-layered security approach? Implementing such a strategy will go a long way towards mitigating threats.

Check out the most recent issue of Credit Union Magazine where my fellow security colleagues and I further discuss combatting mobile threats.

Bouncing Transactions

Fraud resulting from account-takeover attacks continues to increase. And the mechanisms by which the fraud is being perpetrated continue to vary as fraudsters use creative ways to ex-filtrate stolen funds from financial institutions. While ACH and wire transfer fraud aimed at commercial account holders continues to be the most damaging and prevalent, an interesting trend has been seen emerging targeting retail customers. Fraudsters have begun to leverage external funds transfer as a new way to defraud customers—only they‘re using account linking to other FIs to “bounce” the transactions around before withdrawing.


Recently, we’ve noticed an uptick in the number of fraud cases (approximately 6 cases involving just over $170k in 2013) reported by our FIs involving fraudulent transactions created via incoming external transfers soon after new accounts have been opened. The general scenario works like this. A new account holder [fraudster] opens an account and enrolls in online banking. Shortly after enrollment, generally less than a month, the fraudster links the new account to an external account, or sometimes multiple external accounts, held at other FIs. The fraudster initiates an ACH-debit transaction, transferring funds into the newly created account. The funds are quickly withdrawn from the account in a number of ways, including ATM withdrawals, checks, or outgoing external transfers. Be on the watch for these types of activities. Examine your existing controls around funds transfer entitlements, and consider implementing additional mitigating controls, including:

  • Limit the ability of net new customers to link accounts or initiate external transfers through online banking. Consider using a minimum of at least 30 days after the initial opening of a new account with your financial institution.
  • Monitor ACH-debit activity (inbound transfers). Although it doesn’t represent the same risk as an outgoing transaction, it is still important to watch for anomalous activity.
  • Review existing entitlements and abilities current account holders have based on historical usage.

“Who Stole My Cookie?”

In June 2011, the FFIEC issued a supplement to their guidance entitled  Authentication in an Internet Banking Environment,” originally published in 2005.  The supplement keyed on several widely-adopted controls, one of which they referred to as “simple device identification.” Simple device identification is known as the process of identifying a customer or end user by nothing more than verifying the presence of an HTTP cookie.  But more than two years since the guidance was published by the FFIEC, financial institutions of all sizes continue to rely on this traditional, undoubtedly broken, authentication method. In fact, it remains rather prevalent across many banking sites.

So why are banks and credit unions still using such methods for authentication?  Understand, I’m not suggesting cookies are evil nor am I suggesting we should stop using cookies in our web applications. Due to the stateless nature of the HTTP protocol (which is how we navigate the World Wide Web), cookies are a very credible means for a server to maintain a certain level of state for each session. HTTP cookies are sent from the client (browser) to the server (application) on every navigation request or HTTP call that is made—this is web applications maintain the state of a session. E-Commerce sites, which feature online shopping carts, or social sites, which track user preferences often rely on cookies. In reality, these cookies do not present any risk to an end user.

The problem lies in how financial institutions are relying on the presence of these cookies as their primary control for end user authentication (e.g. simple device identification). Unfortunately, cookies are usually not associated with a particular device, but rather a particular end user. Adding to that problem, there’s no mechanism that prevents cookies from being stolen or copied from the browser cache. Modern financial malware has capabilities to not only log keystrokes to steal credentials, but can also steal information such as cookies.  Surprisingly, many financial institutions are unaware cookies are even susceptible to being lifted from a computer.


Simple device identification vs. Complex device identification

Although no device authentication method can mitigate all threats, the FFIEC considers complex device identification to be more secure and preferable to simple device identification. Clearly stated in the guidance, “institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.” The method of complex device identification alone is not enough, as an attacker can spoof many of the attributes that are examined.  However, using techniques to detect unusual values in headers along with the analysis of historical patterns makes it much more difficult for an attacker attempting to impersonate the legitimate end user.

Of course the best defense a financial institution can deploy is one that uses multiple layers.  With a layered security model, the weakness in one control is compensated by the strength of another. Ultimately, the reliance on any single control or mitigating factor is insufficient—but using a stratified approach prevents a shortcoming in any one defense.

Introducing the Elephant in the Room – The Challenge

Community banks and credit unions have protected account holders for a long time, but today armored walls are not enough — not with the popularity of the online channel.

While it is imperative that banks and credit unions offer a full lineup of banking services including online, mobile and voice to keep up with the growing demand, financial institutions also need to constantly reassess the challenges, issues and potential threats those channels present.

Contributing to the problem is that community banks and credit unions no longer know their accountholders as well as they once did. Consequently, few financial institutions have a good grasp of typical transactions for specific accountholders.

The issue is so important that it even garnered the increased attention of the federal government. The FFIEC on June 28, 2011 released updated guidance on how banks should guard against cyber-security threats. The original guidance offered by the FFIEC – a formal interagency comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) –issued a set of guidelines back in 2005, titled Authentication in an Internet Banking Environment. They called on all financial institutions to improve their single-factor authentication processes – typically based on user name and passwords.

Since the guidelines were issued, numerous financial institutions added a second verification level for online transactions. However, in countless cases, the added measures have been largely superficial and barely reinforce authentication.

Despite the well-intentioned initial FFIEC mandate, fraud continues to grow exponentially while touching newer channels such as mobile banking that barely existed six or seven years ago. Since then, online risk and fraud issues no longer emanate from hackers creating chaos from their basements. Fraud is a big business and spawned by sophisticated organized crime factories aimed at stealing financial information. As a result of the more recent increases in online fraud within the banking industry, the FFIEC issued the new updated guidelines regarding online bank account security in an effort to further address the root cause of fraud.

There is a growing need for technology that intuitively knows accountholders normal transaction patterns, and then issues alerts when irregularities take place. The technology exists but deployment is often infrequent. Stay tuned to find out more about assessing security and how you can be prepared.

Introducing the Elephant in the Room – Online Banking Security

If your financial institution does not have risk and fraud concerns for the online banking channel then this blog series will not be of any assistance to you. Keep a look out the next few weeks for more information on security including the challenge, assessing security and being prepared.

First off, if your financial institution’s reputation does not matter then I have some suggestions for you. To start, have your account holders create passwords that are easy to remember such as:

1. Children’s or pets names

2. Birthdays

3. Simple number sequences

4. Or have them attach sticky notes next to their computer with the password

You see your very own account holder — too trusting, too frenzied, and sometimes too careless — is now the weakest link in the online banking process. Did you know that for every fifth person you know, one is infected?  Well at least their computer is. The Anti Phishing Working Group estimates that 17 percent of U.S. desktops are infected with some type of malware or password stealer. Microsoft recently proclaimed, “One out of every 14 programs downloaded is actually malware.” Talk about going viral!In regard to challenge questions, encourage they make personal information readily available on social networking sites and click on any unverified links. Maybe they can also misguidedly download Trojans with funny names like ZeuS (not the Greek god), Tatanga (not a dance), or Oddjob (not a James Bond nemesis). Just remember when it comes to online risk and fraud, when it happens, your account holders will likely look to your institution for answers.

The bottom line is that you cannot rely on anyone’s computer or online device being secure. For your financial institution, this means you could be a passive bystander, not wishing to panic your accountholders, or a proactive watch guard of their transactions with a few effective changes and the right partner.

Choosing the right options for online account security comes at a critical time. The number of households that use online banking grew to 72.5 million and those utilizing electronic bill pay grew to 36.4 million, according to a recent consumer survey. Usage is up because this channel is now the most preferred way for accountholders to interact and transact with a financial institution. At the same time, people are busier than ever and struggle to keep track of difficult-to-recall user IDs and passwords while protecting themselves at all times. Fraudsters realize this and take advantage of the growing popularity of the echannel to set their traps to commit fraud.

The archetypal Depression-era bank thief, John Dillinger was well known for his sophisticated social engineering schemes, which ranged from posing as a bank-alarm system salesman to pretending to film a “bank robbery scene” in order to stake out potential bank marks. For his efforts, Dillinger swiped several hundred thousand dollars from 1933-1934.

Compare that to the faceless ZeuS – called the ‘most dangerous Trojan virus ever created,’ according to some experts. ZeuS Trojans attack through “men-in-the-browser” agents that grab variables from a browser session, such as during online banking transactions that they use to steal information, or worse.

Financial institutions may not be held accountable for any financial losses today, but their reputational loss has no such limitations. Online banking is so crucial that once an institution’s trust is compromised, accountholders have no reason to stay. Consumers are used to 24/7 online service and they expect 24/7 protection (even from themselves). Simply put, community banks and credit unions could and should do much more to protect accountholders as well as their financial institution’s own standing.

Now that you know all of this, what should be your next step? Stay tuned for the next blog posts to find out!

Protect Yourself from “Phishing” Attacks & Social Engineering Scams

So what is phishing?

Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords, account numbers, credit card details, and other personal information by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out using social engineering techniques such as email spoofing and often directs users to click a malicious link, or enter sensitive information at a fraudulent website, disguised as a legitimate or trusted source. Phishing e-mails may include a company’s logo or tagline along with a message of urgency regarding a problem with an account or a need to validate personal information.

How do you avoid phishing scams?

Your bank or credit union should NEVER request personal financial information from you as a customer via e-mail or online forms. As a customer, if you ever receive any suspicious e-mail containing logos or references to your bank, contact the bank directly. Never respond to an unsolicited or suspicious e-mail or provide any information to an unknown source.

Be suspicious of any unsolicited email requesting personal financial information – even if it appears to be from an entity you trust. These requests may ask for usernames and passwords, PIN numbers, social security numbers, account numbers, or card verification values (CVV) from the back of your credit and debit cards. Never provide this information unless you are using a known secured website or calling directly over the telephone.
Be aware of links embedded in suspicious e-mails. Consider bookmarking free sites such as www.pdfmyurl.com, which will PDF any URL in real-time and present it back to you so you know if the site is fraudulent or real.
Never overlook your computer security measures.  Install the latest anti-virus updates and anti-spyware software on your computer to prevent malicious websites from installing spyware. Visit www.onguardonline.gov orwww.staysafeonline.org to learn more about available security software and other ways to help safeguard your computer.

Awareness is Key

Review your monthly credit card and bank statements.  Remember, time is of the essence.  Don’t wait for your statement to arrive in the mail or your inbox. Checking your statements online will enable you to easily identify errors or recognize unauthorized account activity.  In the case of a disparity or unauthorized transaction(s), notify your financial institution immediately by contacting its customer service department.

Take Prompt Action

If you feel you have been a victim of a “phishing” scam, take immediate steps to mitigate any damage to your personal information and your identity.

1. Report the fraudulent activity to your financial institution.

2. File a complaint online with the W3C.

3. Close existing deposit and checking accounts and reopen them with new account numbers.

4. Monitor and review your credit reports.  Report unauthorized activity to the three major credit reporting agencies, Experian, Equifax, and TransUnion.

5. Request a free copy of your credit reports.  To obtain a copy from each of the three major credit bureaus, visit www.annualcreditreport.com.  You may request your reports online, by phone, or through the mail.

6.If required, you may request that a fraud alert be placed on your credit record requiring that you be contacted before credit is extended using your name and social security number.

7. Report suspicious activity to the Social Security Administration’s Office of Inspector General Fraud Hotline, by calling 1-800-269-0271 or online at OIG’s website http://oig.ssa.gov/.

Positive Pay: Is It Time To Get Serious?

Last March the Association for Financial Professionals (AFP) released the results of its latest Payments Fraud and Control Survey. For financial institutions and their business customers, it provides fascinating reading and food for thought. Of the respondents, 66 percent experienced attempted or actual payments fraud in 2011.

Checks continued to be the most popular target for criminals, and 85 percent of organizations that experienced actual or attempted fraud were victims of check fraud. ACH debit fraud attempts were lower and reported by 23 percent of survey respondents. Of reported actual and/or attempted payments fraud, 74 percent resulted in no financial loss. When it did, the typical fraud loss for the year 2011 was $19,200. On the upper end, the potential or actual loss for 12 percent of those experiencing payments fraud was $250,000 or greater.

Sixty-two percent of organizations reported the fraud attempts had occurred throughout the year, not at the same time or close together as one might expect. Although the total 2011 numbers were down from the previous two years, they remained significant with 28 percent reporting more fraud attempts.

In 2012, how many businesses can afford a typical fraud loss over $19,000? How many of those fraud dollars will financial institutions be willing to absorb? Not surprisingly, the AFP Survey reported that “fraud controls like positive pay and daily reconciliation unquestionably prevent fraud losses. And, they save time because the review is limited to exceptions.”

Reinforcement for positive pay services is contained in the latest FFIEC guidance “Supplement to Authentication in an Internet Banking Environment” published in June, 2011. Interestingly, the FFIEC update twice suggested positive pay. It would appear that use of positive pay could become more than just a suggestion.

From the updated guidance: “Effective controls that may be included in a layered security program include, but are not limited to…the use of positive pay, debit blocks, and other techniques to appropriately limit the transactional use of the account.” The case for positive pay is noted again in the Appendix, Threat Landscape and Compensating Controls: “Additionally, institutions can look to traditional and innovative business process controls to improve security over customers’ online activities. Some examples include…establish payee whitelisting (e.g., positive pay) and/or blacklisting.”

Download the AFP Survey report and the updated FFIEC guidance and read about it for yourself. Maybe it’s time to offer your business customers a proven fraud prevention tool for both check and ACH. Maybe it’s time for positive pay.

Gil Grey serves Q2ebanking as Vice President of Product Management for Treasury Services.  He has an extensive background in financial services, including SVP with Goldleaf Financial Solutions, a Senior Manager with Jack Henry & Associates, Associate Regional Director, Finance and Operations at the FDIC/RTC, and a Senior Manager in financial services consulting with Ernst & Young.  He spent many years in banking and started his career in the finance department of a large manufacturing company.  He holds a Bachelor of Business Administration in Marketing and Management and an MBA in Finance from Armstrong State University. He is also an Accredited ACH Professional (AAP) from NACHA and regularly participates in their councils and rules groups.

Managing the Access to Our Digital Lives

Passwords. They’ve become an integrated component to how we function in our daily lives. They are designed for protection of privacy, and they represent a first line of defense in securing our digitals lives and cyber personas. And in some cases, our only defense.

Sending, receiving, emailing, accessing, transacting, purchasing, banking, subscribing, submitting, authorizing and social networking…just to name a few. As a result of the digital age and the growing number of interactions we have with electronic systems, I personally, am prompted for a password between 15-25 times each day – and sometimes in excess of 30.

As creatures that thrive on the euphoric principle of convenience, we often find ourselves constantly looking for ways to achieve more of it. While, at the same time, battling the perceived obstacles that seem to work against us and our quest to attain even more convenience(s) in our daily lives.

Translate this to how many of us view the obstacle of passwords. The number of daily online interactions that require our use of passwords is undoubtedly increasing. However, our tolerance for managing this growing mountain is endearingly low…. and that may be an understatement. As a result, we’ve gravitated towards a dangerous practice known as “password re-use”. Simply stated, our convenience is more important to us than our security. Agreed?

Look at the recent breaches of user passwords from services such as Facebook, Yahoo!, LinkedIn, eHarmony and other popular social-networking sites. Following these incidents, websites quickly surfaced publishing lists upon lists of these compromised passwords – and in many cases, usernames as well…which, in many cases, just so happened to be an email address.

Arguably, one could downplay the potential damage resulting from the unauthorized access to one of their accounts listed for the above sites. But, would you downplay the risk if one of these lists published your username and password for your online banking site? Absolutely not. And thus is the inherit problem that exists when re-using the same or similar passwords across online banking, social networking, and other e-commerce sites.

So, what measures can we be taking to help us avoid this problem and our tendency to opt for reusing passwords?

1. At a minimum, establish unique and complex passwords for use when accessing your online banking site. Inquire with your bank to see if they offer other factors for online authentication, such as tokens or OTPs (one-time passwords).

2. Use a personal passphrase instead of a single word, and build a password based on the words contained in the phrase or sentence. “Four score and seven years ago our fathers brought…” could be remembered as “4scanse”.

3. Consider a password management tool to help generate and store unique passwords for each of the sites you visit. Some of the most popular include RoboForm (my personal favorite), LastPass, and KeePass, to name a few. These tools will encrypt your saved passwords for safe online or offline storage and access.

Following such practices will reduce your risk of an attacker gaining access to your sensitive credentials. Only you can help yourself.