Pub. 4 2013 Issue 4

winter 2013 21 West Virginia Banker so wire transfer requests can be more closely scrutinized. • If a DDoS attack occurs, in addi- tion to the affected system, consider slowing down or taking offline other electronic services or transactional channels temporarily to prevent undetected fraudulent account access or transfers, until the DDoS issue is resolved and the attacked site/system is returned online and safely opera- tional. • In addition to having bank-hosted security software for browser secu- rity and protecting online sessions, consider software that detects, and possibly removes malware from your customer’s machine. • Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails. Monitor phishing emails as well as include filters for emails from suspect IP/URL addresses. • Do not allow employees to freely access the Internet or e-mails on the same computers used to initiate payments. Conversely, do not allow employees to access administrative accounts from home computers con- nected to home networks. • Ensure employees do not leave USB tokens in computers used to connect to payment systems. • Consider implementing time-of-day login restrictions for the employee accounts with access to payment sys- tems. Monitor employee logins that occur outside normal business hours. • Restrict access to wire transfer limit settings. Reduce employee wire limits in automated wire systems to require a second employee to approve larger wire transfers. Consider implement- ing an out-of-band authorization prior to allowing wire transfers to execute. Limit systems from which credentials used for wire authoriza- tion can be utilized. • If wire transfer anomaly detection systems are used, consider changing “rules” to detect this type of attack and, if possible, create alerts to notify bank administrators if wire transfer limits are modified. • Secure and/or store manuals offline or restrict access to training system manuals with enhanced access controls. • Review intrusion detection and incident response procedures and consider conducting a mock scenario testing exercise to ensure familiarity with the plan. • Know and talk with your peers. Establish communications and share information with fellow bankers through alerts and by utilizing orga- nizations such as FS-ISAC, Commu- nity Institution Council, Payments Risk Council, bankers associations, etc. Security recommendations for your customers • Educate your customers on what they can do to prevent their systems and accounts from being infiltrated. Communicate and update them on current threats. • If your bank provides or your cus- tomer uses a standalone PC at their location, recommend limiting usage to just your bank’s website and finan- cial transaction systems by disabling email and web browser functionality. • Monitor phishing emails as well as include filters for emails from suspect IP/URL addresses. • Encourage customers and your bank’s employees to only download reputable apps onto mobile devices. Be aware of so-called “electronic wallets” as many are designed to harvest bank credentials for others’ malevolent use. Resources are readily available Resources and best practices tips are available to help guide your bank and your customers in taking protective measures against internet/cyber-related crimes and attacks. Take advantage of resources from na - tional or state bankers associations. With cyber-threats an ever-increasing industry concern, national and state groups are working together in sharing best practices and information to cover all institutions, regardless of scope or size. The American Bankers Association has online resources dedicated to cyber-security, www.aba. com/Tools/Function/Cyber/Pages/de- fault.aspx, in addition to on-staff expert advisors to guide and assist bankers with risk management solutions. Some resourc- es are available to all banks, not necessari- ly just ABA members. Even just reading and sharing with your staff e-bulletins and alerts from state or national bankers association can provide basic risk management tips for your bank and customers. Consider joining FS-ISAC. The Financial Sector-Information Sharing and Analysis Center is a private, nonprofit organization comprised of member associations and financial institutions working together with government agencies to pool infor- mation and resources to help protect and inform the banking industry as a whole of threatening cyber-activities as part of the nation’s homeland security initiative. For banks under $1 billion in assets, a specially priced membership package is available. More information is available at www.fsisac.com. Footnotes and Additional Reading Material 1 “Cybercrooks use DDoS attacks to mask theft of banks’ millions” by Steven Musil, August 21, 2013, cnet.com • Patricia P. Williams, CPCU Regional Sales & Relationship Manager ABA Insurance Services Inc. Endorsed by the WVBA, nearly 1 in 2 West Virginia banks purchase their D&O, Bond and P&C coverage from ABA Insurance Services. With a sustained countrywide market share of nearly 25%, the program is the only bank-owned and banker-directed solution available for financial institutions. For the 23rd consecutive year, a distribution has been declared, totaling $77.9 Million to date. We will work with you or your insurance agent. For more information, visit www.abais.com or contact Patricia Williams at 800-274-5222 or pwilliams@abais.com. Twitter@ ABAInsSvcs “Fraud Alert – Cyber Criminals Target- ing Financial Institution Employee Cre- dentials to Conduct Wire Transfer Fraud,” white paper jointly developed by FS-ISAC, the FBI and IC3, September, 2012, www. ic3.gov/media/2012/FraudAlertFinancia- lInstitutionEmployeeCredentialsTargeted. pdf n