BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Agencies Issue ACH, Wire Fraud Advisory

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Federal, State Groups Offer Tips to Businesses, Institutions

March 15, 2010 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

In the surging wake of fraudulent ACH and wire transactions - and subsequent lawsuits -- government and private security entities have issued a new cybersecurity advisory offering tips to businesses and financial institutions.

The alert, entitled "Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks" was issued jointly on March 12 by the U.S. Department of Justice, the New York State Intelligence Center, New York State Police, the New York State Office of Homeland Security, the U.S. Secret Service, the Multi-State ISAC and the Financial Services ISAC.

Bill Nelson, Executive Director of the Financial Services Information Sharing and Analysis Center (FS-ISAC) says the cyber alert on wire fraud is an important one that businesses and banks should pay close attention to because of the number of attacks happening around the country to businesses and government entities.

Attacks by hackers have hit both private businesses and government entities with fraudulent wire transfers that average in losses from $100,000 to $200,000 per victim. These attacks compromise the victims' computer by launching malware-laden phishing emails or other ways, but rather than just taking small amounts of money via ACH transactions, they wire large amounts of money overseas, either directly or via money mules. The malware being used to collect the banking credentials from victims is the Zeus Trojan.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Nelson says the wire fraud recommendations, "follow many of the same points we talked about in the August 2009 advisory to NACHA and FS-ISAC members about ACH fraudulent transactions."

These transactions have resulted in well-documented legal disputes between banking institutions and their customers, as in the case of Texas-based PlainsCapital Bank and Hillary Machinery, Inc., which are at odds over what constitutes "reasonable security."

This advisory focuses on a different attack vector, not just ACH transactions, but wire transfers, which are more instantaneous. "The wire transfers happen really quickly and can be very damaging in terms of losses," Nelson says.

The joint advisory stresses a layered approach to stopping and preventing future wire fraud transfers. "All along we have been emphasizing a layered defense approach, with dual control, daily account reconcilement and using a dedicated computer for banking online," he says.

Nelson says businesses should set up a dedicated computer and use it only for online banking, no email or web surfing allowed. "Even for a small business, a laptop for $400 to use only for online banking is affordable," Nelson says.

Best Practices For Businesses

Some of the recommended best practices for businesses to increase cybersecurity:

Install a security software suite that includes antivirus, anti-spyware, malware and adware detection, from a reputable vendor and keep it up-to-date.

Routinely install all new software and hardware patches or use the automatic update feature when available.

Use a dedicated computer for all online transactions and implement white listing methods to prevent the system from going to any site/address that does not have a documented business need.

Educate users on good cybersecurity practices to include how to avoid having malware installed on a computer and new malware trends such as the development of "malvertizing," where malware is hidden in the code of a legitimate website.

Implement block/black lists and enforce them on the network perimeter.

Employ advanced authentication techniques for user logins (two-factor authentication).

Utilize a security expert to test your network or run security software that will aid you in closing known vulnerabilities.

Actions For Financial Institutions

1 | 2

View On 1 Page

Next Related Article:

Fedwire Hit With Phishing Scam

We've seen so many ACH fraud advisories. Why don't they work?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Topics of Interest

ID Access & Management

Is The Door To Your Company's Private Data Wide Open?
25 Best Practices for Managing User Access to Desktops, Networks, and Applications to Ensure Regulatory Compliance

Risk Assessment

Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Thwarting Insider Threat for Financial Institutions

Payments

Heartland's Bob Carr on Leadership in a Crisis
FDIC on Top Fraud Threats to Banks

Physical Security

Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Physical Asset Management & IT Security

ISO

Risk Management and ISO 27001 Certification – Mark Bernard, Credit Union Central, B.C.
Meeting the Security Standard: The Business Benefits of ISO 27001 Certification

Encryption

Protecting Enterprise Data with Proofpoint Encryption
Achieving Compliance with Massachusetts Data Protection Act

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Money Laundering Update: The Latest Threats to Your Institution
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Core Security Technologies

Solutions For:

Security Monitoring
Symantec Corporation

Solutions For:

Business Continuity/ Disaster Recovery, Email Security, Enterprise Security Management

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management