Agencies Issue ACH, Wire Fraud Advisory
Federal, State Groups Offer Tips to Businesses, InstitutionsThe alert, entitled "Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks" was issued jointly on March 12 by the U.S. Department of Justice, the New York State Intelligence Center, New York State Police, the New York State Office of Homeland Security, the U.S. Secret Service, the Multi-State ISAC and the Financial Services ISAC.
Bill Nelson, Executive Director of the Financial Services Information Sharing and Analysis Center (FS-ISAC) says the cyber alert on wire fraud is an important one that businesses and banks should pay close attention to because of the number of attacks happening around the country to businesses and government entities.
Attacks by hackers have hit both private businesses and government entities with fraudulent wire transfers that average in losses from $100,000 to $200,000 per victim. These attacks compromise the victims' computer by launching malware-laden phishing emails or other ways, but rather than just taking small amounts of money via ACH transactions, they wire large amounts of money overseas, either directly or via money mules. The malware being used to collect the banking credentials from victims is the Zeus Trojan.
Nelson says the wire fraud recommendations, "follow many of the same points we talked about in the August 2009 advisory to NACHA and FS-ISAC members about ACH fraudulent transactions."
These transactions have resulted in well-documented legal disputes between banking institutions and their customers, as in the case of Texas-based PlainsCapital Bank and Hillary Machinery, Inc., which are at odds over what constitutes "reasonable security."
This advisory focuses on a different attack vector, not just ACH transactions, but wire transfers, which are more instantaneous. "The wire transfers happen really quickly and can be very damaging in terms of losses," Nelson says.
The joint advisory stresses a layered approach to stopping and preventing future wire fraud transfers. "All along we have been emphasizing a layered defense approach, with dual control, daily account reconcilement and using a dedicated computer for banking online," he says.
Nelson says businesses should set up a dedicated computer and use it only for online banking, no email or web surfing allowed. "Even for a small business, a laptop for $400 to use only for online banking is affordable," Nelson says.
Best Practices For Businesses
Some of the recommended best practices for businesses to increase cybersecurity:
- Install a security software suite that includes antivirus, anti-spyware, malware and adware detection, from a reputable vendor and keep it up-to-date.
- Routinely install all new software and hardware patches or use the automatic update feature when available.
- Use a dedicated computer for all online transactions and implement white listing methods to prevent the system from going to any site/address that does not have a documented business need.
- Educate users on good cybersecurity practices to include how to avoid having malware installed on a computer and new malware trends such as the development of "malvertizing," where malware is hidden in the code of a legitimate website.
- Implement block/black lists and enforce them on the network perimeter.
- Employ advanced authentication techniques for user logins (two-factor authentication).
- Utilize a security expert to test your network or run security software that will aid you in closing known vulnerabilities.
Actions For Financial Institutions
The joint advisory recommends institutions consider offering the following security measures:
- Online credit card purchase verification programs, such as Verify by Visa.
- Automatic blocking of wire transfers to particular countries.
- Delayed transaction or batch processing of money transfers and/or immediate user notifications.
- Procedures to require account owners to verify transactions over certain amounts, possibly through call backs.
- Out of band token/pin delivery, possibly via SMS, or automated phone calls.
- Give account owners the option to create a "white list" containing all the approved accounts between which transactions may take place.
- Establish procedures with intermediary banks and law enforcement for responding to potential fraudulent activity.