Community
We now have proof that hackers are targeting bank employees. Sadly, keyloggers, man-in-the-middle, and Trojans aren’t just for online banking customers anymore. The joint fraud alert from the FBI, FS-ISAC, and ICCC at the end of 2012 warns financial institutions that hackers are using spear phishing to take over internal employee accounts and send fraudulent wires.
Assume you’re already compromised.
The latest advice from security experts is to assume that criminals already have access to your systems. They’re not throwing in the towel; the reality is that attacks are becoming more sophisticated, and FIs are having a hard time keeping up. The talk around the security water cooler is “if a criminal really wants to get in, they’re going to get in.”
Cyber attacks = internal fraud?
How is a cyber criminal different from an embezzler? In this case, they’re not different at all:
Then what technology do we need?
This is not a problem that can be solved by technology alone. The largest FIs have spent millions on technologies like SIEMs, firewalls, IDS/IDPs, access control, payment fraud detection, online fraud detection, and so on. And yet they’re still susceptible to attacks from both embezzlers and cyber criminals.
The answer: understand your complex money flow.
There is a way to stop BOTH cyber criminals and embezzlers, and it starts with understanding how money flows through your organization. Over years, FIs have built a complex web of phone, fax, email, and payment systems that can move money internally and send money externally. This leaves FIs open to massive embezzlement. Employees and hackers have the ability to send or redirect tens of millions of dollars. The $19 million wire fraud reported by Citibank in 2011 is a perfect example of how payment complexity leaves financial institutions open to massive exposure.
Understanding shows you risk-based solutions.
As you follow the paths that money takes through your organization, the solutions become obvious. You spot the supervisor who can create AND approve a $5 million wire. You learn that branch managers can both transfer funds internally and send them externally. You realize that nothing will stop a wire room supervisor (or a hacker that took over their account) from redirecting a $15 million wire. And as you find these issues, the solutions become obvious.
Get started today.
The process to follow is simple:
While the process itself is simple, it becomes complex as you repeat each step hundreds of times. Careful organization is crucial, as are a repeatable process and staff who understand both payment processing and how to think like a criminal. At the end of this process, you will have a prioritized, risk-based view of the threats posed to your organization by both internal staff and cyber criminals who may take over their accounts. You’ll also have a prioritized list of recommendations. If organized properly, this review gives your Board and Sarbanes-Oxley team a much higher level of confidence about this threat.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Ugne Buraciene Group CEO at payabl.
16 January
Ritesh Jain Founder at Infynit / Former COO HSBC
15 January
Bo Harald Chairman/Founding member, board member at Trust Infra for Real Time Economy Prgrm & MyData,
13 January
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.