Apr. 8: Lender cyber security primer: types, phishing, NY rules, patches, preventative measures; new scam hits law firms
“Dear God, please send clothes for all those poor ladies on grandpa’s computer. Amen.” There are plenty of things going on with computers these days, and not all of them involve cute jokes or cat videos. Many are very serious.
Phishing (the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers) is an interesting topic. Pew research finds 50% of US adults are unable to identify examples of phishing, have not heard of ransomware or were not aware that wireless routers do not automatically encrypt data flowing through them. Only 33% were aware that https meant a link was encrypted. Lenders and bankers should continue to educate customers and staff in this area to help protect their banks. PwC research finds phishing was the top vector of cyberattack in 2016.
How do you help and train your staff to avoid phishing? Here’s a decent site on the topic.
They don’t call them “scam artists” for nothing—sometimes fraudsters are very good at being bad. More than 100 lawyers learned that lesson the hard way when a Canadian man bilked them out of more than $23 million. According to court filings, Henry Okpalefe’s scheme involved sending fake solicitations for representation to law firms. The fake client would claim that a person owed them money, and the lawyer would receive a check, supposedly from the person who owed money to the fake client. The lawyer would deposit the check into an IOLTA account and then transfer that money to the fake client’s bank account, which was always in an offshore bank. The money would be withdrawn from that bank before the lawyer learned that the original check was counterfeit. But there’s a happy ending (for the victims anyway): Okpalefe was convicted of conspiracy to commit mail fraud, wire fraud and money laundering in the U.S. District Court for the Middle District of Pennsylvania.
Cisco cybersecurity research finds security professionals cite the following as the biggest sources of concern related to cyber-attacks: mobile devices (58%), data in the public cloud (57%), cloud infrastructure (57%), and user behavior such as clicking malicious links in emails or websites (57%).
And apparently there is a new sort of cyberattack going on that lenders and banks should know about. According to CIO, hackers call the customer service line at hotels or restaurants and pretend to be clients who can’t access the online reservation system. The hackers also send an email to the customer service agent and it includes an attached word document that supposedly contains their reservation information. Unbeknownst to the customer service rep, the document is designed to download malware that steals customer credit card information.
While this particular crime wave doesn’t appear to be targeting banks just yet, it is another reminder that when it comes to cybersecurity, a bank can never be too careful. Experts will tell you that employees are often the weakest link in cybersecurity so a focus here is critical. Consider a CEB study from late last year that found more than 90% of employees violate policies designed to prevent data breaches.
The scary thing is that offenders aren’t always taking aim at company systems maliciously. In most cases, problems occur unintentionally, such as an employee accidentally clicking on something they shouldn’t, or cutting security corners to get the job done faster. IT folks and senior management need to reinforce the message that controlling cyber risk and ensuring company security is everyone’s business. Clear protocols should be regularly reviewed and updated. New breach events, such as the above regarding customer service infiltrations, necessitate tabletop testing, enhanced review and possible update of protocols with recommunication bank-wide.
Steve Brown with PCBB recommends, “To help engage employees and better understand their concerns, role playing can be an option. This sometimes helps employees gain insight first hand into potentially risky situations and the best ways to react calmly. Knowing that they can rely on their coworkers and management for guidance in such exercises creates not only a feeling of support, but also commitment.”
Password sharing is a security no-no, but it is prevalent – it is so easy to say, “Look, I am stuck in traffic. Could you log onto my computer…” Research finds about 70% of people use the same password for multiple websites, 62% of smartphone owners don’t password protect their device, 31% of people have shared passwords with friends and people repeatedly use dumb and easily broken passwords like “password,” “iloveyou” and “abc1234.”
Employees should have clear guidance about what they should and should not be doing regarding passwords. Management needs to help them understand the risk to themselves and the bank in using simple passwords all over the internet. Some smaller mortgage banks or community banks may feel immune from trouble because of their size, but in reality, you have just as much to fear from hackers as the largest banks. While those names are more known worldwide, almost everyone knows all banks are listed in the FDIC, lists are everywhere and bank websites are easily found. No matter your sophistication here, a continual focus on cybersecurity is needed to avoid trouble.
Some lenders and vendors have picked up on the blockchain news. The European Commission has proposed a pilot study to improve knowledge of blockchain’s capabilities and capacities, with an aim of deepening understanding among national regulators. This is the commission’s latest move toward awareness of distributed-ledger technology.
Any lender operating in New York, or servicer servicing loans in NY, know that the New York State Department of Financial Services (NYDFS) released guidance for covered financial institutions regarding its cybersecurity rule that took effect on March 1, 2017. The guidance comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Law firm Morrison & Foerster LLP did a good write up on it.
There are not enough cybersecurity professionals to meet worldwide demand—and there are not enough women cybersecurity professionals, period. A PricewaterhouseCoopers survey of over 19,000 information security professionals from 170 nations found that on average, women comprised only 11% of the global cybersecurity workforce. This percentage was far lower in the Middle East (5%) and Europe (7%) and higher in North America (14%), which had the highest percentage of women cybersecurity professionals worldwide (and that’s not saying much).
It gets worse: Among all those surveyed globally, the majority (87%) of women cybersecurity professionals said they experienced unconscious discrimination, while just over half said they experienced an unexplained denial or delay in career advancement. Sloane Menkes, principal of PwC’s Global Crisis Centre, explained unconscious discrimination in terms of situations where organizations are “not bringing women cybersecurity professionals into projects and [not providing] them with opportunities, for example, through mentorship or sponsorship.”
Treasury Secretary Steven Mnuchin said that because the safety of the financial system is critical, he has made cybersecurity his top technology priority. He said he will use his authority as chairman of the Financial Stability Oversight Council to push financial regulators to strengthen cybersecurity.
Research finds 85% of successful data breaches target the top 10 known vulnerabilities. It is believed that all those breaches could have been prevented because patches were available. The companies impacted had not updated their patches. Now you know why regulators are focused on something as mundane as asking about patch updates during IT exams. Educating employees and customers about the myriad common cybersecurity threats that community banks increasingly face is critical.
In addition to third-party vendor risk, according to Chicago Fed research, there are several cyber threats or cyber-related risks that are the most common in community banks & lenders presented by PCBB. The first is “Malware.” This one is perhaps the best known and most widely discussed. It represents any software that is used to disrupt computers or networks, gather information or access private systems. Malware typically works by breaching a bank’s network through vulnerabilities or weak points of attack, and can infect storage media like USB sticks, mobile phones or tablets. These are often connected to computers, and through malware, hackers deliver computer viruses, ransomware, spyware and botnets. Since malware is often distributed via drive by downloads, email attachments, file sharing or phishing, it is the most common cyber risk. Prevention is about educating your employees and doing regular IT updates.
The second is “DDoS.” Distributed denial of service attacks have been on the rise over the past 5 years as a main attack type on US banks. With DDoS cybercriminals utilize millions of computers to send simultaneous requests to a single bank computer or website. This floods the system so the bank’s network is shut down or disrupted. While IT teams are distracted dealing with this issue, cyber criminals attack elsewhere and try to slip through defenses. Prevention here includes limiting router flows, adding filters, layering defenses, timing out open connections and increasing network scale.
“Takeover,” or corporate account takeover, happens when cybercriminals essentially steal the identity of a business. They take control of a business customer’s bank account, steal legitimate online banking credentials and then use those to process a money transfer to an offshore account. Prevention here includes setting more safeguards and closely monitoring suspicious activity (business), as well as following proper procedures to the letter and alerting clients of oddities (banks).
Data leakage is the unauthorized transfer of confidential data without permission from the bank. This can happen either electronically or through storage devices such as USB drives. These incidents can also be intentional or unintentional, and, according to SANS Institute, nearly 75% of data leakage incidents involve customer data. Prevention includes disabling thumb drives and installing software that tracks, quarantines, notifies and blocks such attempts.
Another is “Vulnerabilities.” Mobile and web application vulnerabilities are essentially flaws within the applications that sit on smart phones or at a bank’s website. These flaws are discovered by hackers and exploited to gain access to your mobile or online platform. Once inside, hackers steal data, take over customer accounts or even take control of a bank’s internal network. Unfortunately, on the banking side, the more mobile banking continues to grow, the greater this risk. Prevention includes improving server controls, improving authentications/authorizations and adding encryption.
Weaknesses in project or change management commonly occur because of poor documentation and risk analysis. These can expose a bank’s systems and important data. Since banks use project management to manage changes in their IT infrastructure, support new business processes or integrate new technologies and products, vulnerabilities in these processes can be exploited by cybercriminals to gain access. The best thing to do here is to review your change management processes and beef them up as needed to ensure a quality structure.
Regulators, whether banking or lending, view cyber risk as a national security issue that goes well beyond banking, so take proactive, strong and continual steps to protect yourself and your data. Although this is a bit of a commercial white paper (ad), here’s a decent write-up on the cybersecurity issues facing mortgage lenders.
(Norm O. sent this oldie but goodie.)
The owner of a certain golf course in Georgia was confused about paying an invoice, so he decided to ask his secretary for some mathematical help.
He called her into his office and said, “Y’all graduated from the University of Georgia and I need some help. If I wuz to give yew $20,000, minus 14%, how much would you take off?”
The secretary thought a moment, and then replied, “Everthang but my earrings.”
(Copyright 2017 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)