Pub. 7 2016 Issue 1

spring 2016 21 West Virginia Banker WVBA 2016 Annual Convention SPECIAL THANKS To OUR PREMIER SPONSORS the newest and latest attacks and types of fraud hitting the internet, and crime-as-a- service is no exception. Some of the most recent forms of cybercrime to be turned into crime-as-a-service include online dating scams, ransomware, warranty fraud, reshipping, and call centers. Online dating is extremely popular, and nearly everyone knows or has heard a story about someone being the victim of an online dating scam. Online dating scams statistically prey on lonely men via online dating websites or spam email campaigns. Crime-as-a-service automates these attacks by giving the “cus- tomer” the option of different packages that include standard text, hundreds of email tem- plates, and advice for tricking the victim into sending money to the “customer” via wire transfer. The vendor of this service advertises a response rate of 1.2%, and that “customers” who send at least 30 scams a day can make roughly $2000 per week. Ransomware is another popular attack that is becoming easier to automate through crime-as-a-service. A software product called “Ransom32” that allows anyone to kick off their own ransomware campaign by simply registering for a Bitcoin account. The “cus- tomer” simply uses their Bitcoin credentials to sign up for the ransomware service, configure the style and type of attack they wish to send out, and start sending out the malware. Bad guys also set up call centers to support online dating scams (the call center makes calls to victims pretending to be the love of their life), ransomware (helping victims pur- chase Bitcoins and decrypt files, ensuring that the victim recovers so that the fraud continues to propagate), and reshipping scams (using stolen credit cards to purchase expensive items online, shipping such items to “mules” at oth- er addresses, then reselling the merchandise). Call centers charge fees to assist in cybercrime activities, ranging from $10 a phone call to ongoing fees for extended scams. How Does Crime-as-a-Service Affect My Institution? Financial institutions have to look out for cybercrime from multiple different angles, specifically being aware to potential attacks on both employees and custom- ers. Institutions must be very cognizant of and continuously monitoring their internal networks for unauthorized traffic and unknown files. Once in the network, cyber-attacks attempt to remain undetect- ed while gathering information or gaining access to funds, but there are typically red flags if you’re paying close enough attention. It’s extremely important to be able to detect an attack that is occurring, not just attempt to prevent or recover from an attack. Getting transferred funds back is much more difficult than stopping an attack from leaving the network. Monitoring customer transactions is also extraordinarily important in order to combat identity theft. Setting transaction limits, implementing two—factor authenti- cation, and developing payment whitelists are very effective controls to mitigate the risk of customer fraud. The last thing to keep in mind is that training and education reduces the risk for everyone involved. It is no longer accept- able to have employees watch a 60-minute video on phishing once a year; financial institutions must provide ongoing, rele- vant, and useful training and education to their employees on an ongoing basis, and consider leveraging such training and education for customers as well. n Jon Waldman, CISA, CRISC, Partner, Senior Information Security Consultant and VP of Business Development for SBS Institute. TheSBS Instituteprovides banking specific, role-based certifica- tions allowing students to master the concepts and technologies required to perform essential cybersecurity functions. Jon can be reached at jon.waldman@protectmybank.com . WVBA Annual Conve tion— July 24-27, 2016