We now have proof that hackers are targeting bank employees. Sadly, keyloggers, man-in-the-middle, and Trojans aren’t just for online banking customers anymore. The joint fraud alert from the FBI, FS-ISAC, and ICCC at the end of 2012 warns financial institutions
that hackers are using spear phishing to take over internal employee accounts and send fraudulent wires.
Assume you’re already compromised.
The latest advice from security experts is to assume that criminals already have access to your systems. They’re not throwing in the towel; the reality is that attacks are becoming more sophisticated, and FIs are having a hard time keeping up. The talk around
the security water cooler is “if a criminal really wants to get in, they’re going to get in.”
Cyber attacks = internal fraud?
How is a cyber criminal different from an embezzler? In this case, they’re not different at all:
- They’re both trying to steal money from you and your customers.
- They’re both covering their tracks to avoid getting caught.
- And, unfortunately, now they both have full access to your core banking systems.
Then what technology do we need?
This is not a problem that can be solved by technology alone. The largest FIs have spent millions on technologies like SIEMs, firewalls, IDS/IDPs, access control, payment fraud detection, online fraud detection, and so on. And yet they’re still susceptible
to attacks from both embezzlers and cyber criminals.
The answer: understand your complex money flow.
There is a way to stop BOTH cyber criminals and embezzlers, and it starts with understanding how money flows through your organization. Over years, FIs have built a complex web of phone, fax, email, and payment systems that can move money internally and
send money externally. This leaves FIs open to massive embezzlement. Employees and hackers have the ability to send or redirect tens of millions of dollars. The $19 million wire fraud reported by Citibank in 2011 is a perfect example of how payment complexity
leaves financial institutions open to massive exposure.
Understanding shows you risk-based solutions.
As you follow the paths that money takes through your organization, the solutions become obvious. You spot the supervisor who can create AND approve a $5 million wire. You learn that branch managers can both transfer funds internally and send them externally.
You realize that nothing will stop a wire room supervisor (or a hacker that took over their account) from redirecting a $15 million wire. And as you find these issues, the solutions become obvious.
Get started today.
The process to follow is simple:
- Start in your front office (tellers, CSRs, phone bank, lending officers, etc.).
- Identify every way that your front office staff moves money (internally and externally).
- Follow every step in the money movement process until the end.
- Along the way, you’ll also find back office functions that can move money.
- At each and every step of the process, make sure you understand three things: (1) How do we know this request is legitimate? (2) Where does this request go next? (3) How much money can we move?
While the process itself is simple, it becomes complex as you repeat each step hundreds of times. Careful organization is crucial, as are a repeatable process and staff who understand both payment processing and how to think like a criminal. At the end of
this process, you will have a prioritized, risk-based view of the threats posed to your organization by both internal staff and cyber criminals who may take over their accounts. You’ll also have a prioritized list of recommendations. If organized properly,
this review gives your Board and Sarbanes-Oxley team a much higher level of confidence about this threat.