Pub 2 2013 Issue 7

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 22 A n alarming trend in electronic thefts from community banks continues, even though the concept has been around for a while. We’re referring to “account takeover,” a term used by banks and regulators. Account takeover generally refers to ACH transactions initiated by what appears to be a bank’s commercial client but is actually a perpetrator who has taken control of the client account without the client’s or bank’s knowledge. The hackers are getting past the security—or lack of it—at the weak- est link: the commercial bank customer. Who needs a gun and bandana when you have an Internet connection? Let’s review the widely re- ported circumstances of one Kansas bank and its commercial account. These reports have been published by Bloomberg News security writer Brian Krebs and NBC News, both of which were sources for this article. The bank had a typical two-step verification procedure for payroll batches. The controller at the bank’s commercial account would log in to Internet banking with his username and password, and after initiating an ACH transfer, he would receive an email from the bank confirming the payment details. After verifying the email was correct, the controller would approve the payment. However, these protections did not prevent thieves from initiating a large unauthorized transfer in November 2010. The biggest problem here is that although the bank had attempted to implement a two-factor verification procedure, it still had a single point of failure: the computer used to access the online banking account. When thieves installed the ZeuS Trojan on the controller’s computer, it didn’t just monitor online banking activity, but all activity on the computer. That meant the thieves obtained the controller’s email credentials along with his Internet banking ones. When they initiated their unauthorized payment, they simply logged in to the controller’s email account, deleted the email detailing their newly initiated payment and returned to the online banking account to approve their transfer. One possible solution now being offered to commercial banking cus- tomers is out-of-band authentication, which would have prevented the above situation from occurring. In the case of out-of-band authentica- tion, instead of sending an email to the controller, the bank could have sent a verification text message to his mobile phone or even called him directly to verify the payment. The thieves did two suspicious things: They sent their transfer the day after the bank’s commercial account had sent a legitimate payroll transfer and, most notably, sent their transfer to nine new employees they had added to the bank’s com- mercial account immediately before initiating the payment. Both of these items—especially the last one—were unusual and should have triggered a response at the bank. It should also be noted that the bank, at that time, relied solely on usernames and passwords to authenticate to online banking accounts. Fortunately, since 2010, core processors have introduced more sophis- ticated authentication and detection tools and methods. Although using out-of-band authentication here would have prevent- ed the thieves from accessing the bank’s commercial account in this instance, there are other kinds of malware that would have bypassed this protection. For example, some malware waits for a user to log in to their online banking account and then prevents them from logging off. The malware will display a standard logout page, causing the user to believe that they have successfully logged out. However, the mal- ware has intercepted their session cookies and is still logged in, and at this point, it will create and initiate an unauthorized transfer from the user’s account. Some of the newer regulations recommend several steps banks can take to increase their security posture and that of their commercial customers. They include: 1. Performing a risk assessment on new electronic services 2. Considering layered security 3. Assisting with customer awareness and education training of these threats Kansas banks should consider their approach to testing their control environment and reviewing the security controls implemented by their commercial clients. For more information about what Kansas banks can do to protect themselves, there are plenty of good resources. A task force made up of regulators, IT security consultants and auditors has issued solid recommendations in this area, and the Texas Department of Banking has published them at http://www.ectf.dob.texas.gov/ectfrecomend. htm. The document entitled “Best Practices for Reducing the Risks of Corporate Account Takeovers” is well-written and includes practi- cal steps in clear and easy-to-understand language. A very helpful resource, indeed. Ron Hulshizer is a director with the IT Risk Services division for BKD, LLP, a top-ti- er national CPA and advisory firm. He advises community banks on IT security and manages a team of security engineers and consultants. BKD IT Consultant Carolyn Buller assisted with the research for this article. What’s Old in Technology Threats, is New By Ron Hulshizer, Director BKD, LLP, It Risk Services