Title: Association of Credit Union Senior Officers
1Association of Credit Union Senior Officers
- Weaving the Web
- Combating Internet Fraud
- ACUSO Annual Meeting
- November 17,2005
2Association of Credit Union Senior Officers
- Review Discuss
- Recent FFIEC guidelines.
- Types of authentication available today.
- Types of threats out on the Internet.
- What is being done to combat Internet threats.
- What the credit union can do to protect your
website and related Internet products. - What the credit union can do to educate your
members.
3Association of Credit Union Senior Officers
- Online ID theft statistics
- Perhaps the best known form of online theft is
"phishing." There were 13,776 distinct phishing
attacks in August, 2005 according to the
Anti-Phishing Working Group. - An October survey commissioned by the Internet
Security company Entrust found that 18 percent of
Americans who have banked online now do so less,
or not at all, because of security concerns. - Mixed feelings on implementing extra online
security (two surveys) - Ninety four percent say they are willing to
accept extra online security controls. - Eighty one percent complained about security,
passwords, etc. - Survey stated eighty three percent do not want to
pay for additional security controls.
4Association of Credit Union Senior Officers
- The FFIEC issued a report on Oct. 12, 2005
- Declaring single-factor authentication such as
passwords inadequate to secure transactions that
involve customer information or the transfer of
funds to or from an account. - The report encourages financial institutions to
adopt "enhanced authentication methods" that can
identify customers online by the end of next
year. - The guidelines leave it up to the institutions to
choose the kind of authentication technology
recommending the risk assessment process be
followed.
5Association of Credit Union Senior Officers
6Association of Credit Union Senior Officers
- First type of authentication - Something a person
knows. - PIN or password
- Watermarks
- Secret question
- If the user types in the correct PIN, selects the
correct image or answers the secret question
correctly, access is granted! - Recent statistics show most people have an
average of 17 passwords!
7Association of Credit Union Senior Officers
- Second type of authentication - Something a
person has. - A self-contained devices that must be physically
connected to a computer. - This option increases the credit union or members
hardware cost as it requires a reader of some
kind on the member PC or laptop. - A device that has a small screen where a one-time
password (OTP) is displayed. The user must then
enter it to be authenticated. - Typically the OTP will change every 30 60
seconds and needs to be replaced every four-five
years.
8Association of Credit Union Senior Officers
- Third type of authentication Something a person
is. - Fingerprint
- Voice Pattern
- Hand geometry
- Retinal scan
- This type of authentication is referred to as
biometrics. - Requires installation of specific hardware.
9Association of Credit Union Senior Officers
- Biometric Digest Highlights Fingerprint Readers
- Affordability Devices are down to 50 or less.
- Convenience Some password readers feature USB
plug and play and allow for user switching,
which makes it more convenient for multiple
registered users on an XP computer. - Security
- Solution should use leading edge technology
biometric fingerprints sensors from companies
that can enroll multiple fingerprints. - Look for devices that include software with the
ability to encrypt and decrypt files using the
enrolled fingers, keeping files safe from
unauthorized users.
10Association of Credit Union Senior Officers
11Association of Credit Union Senior Officers
- Phishing Also known as carding and spoofing .
- A form of social engineering, characterized by
the attempts to fraudulently acquire sensitive
information, such as passwords and account
information via electronic communication such as
email or instant message. -
12Association of Credit Union Senior Officers
- Phishing Also known as carding and spoofing.
- While the first attempts were sent
indiscriminately in the hope of finding a
customer of a given financial institution or
service. - Recent research has shown that phishers may in
principle be able to establish what institution a
potential victim has a relationship with, and
then send an appropriate spoofed email to this
victim. Such targeted versions are being called
Spear Fishing. -
13Association of Credit Union Senior Officers
- Presently, the standard means to verify a site is
secured are - Is the site displaying a security seal such as
Verisign Secured? - Is there a padlock in the lower right-hand corner
of your Web browser? - Indicates a Secure Sockets Layer (SSL) is in
place. - https//
14Association of Credit Union Senior Officers
- Phishing CITI - Report October 24, 2005
- Email Subject Line CitiBank Bank Security
Management Team update - Description The message received by the user is
not well-written, but the rest of the scheme
makes up for it. - The hyperlink text is for the real Citibank but
after the user clicks the link in the e-mail the
URL in the address bar is https//citibusinessonli
ne.da-us.cytigroup.com/cbusol/signon.do. - There is a lock icon on the bottom of the browser
window.
15Association of Credit Union Senior Officers
- Phishing CITI - Report October 24, 2005
- In short, the phisher was able to obtain a valid
SSL (https) certificate to use as part of their
scam. - If you click the "Verisign Secured" graphic in
the web page it displays a Verisign web page that
clearly says that citibusinessonline.da-us.citiban
k.com (not cytigroup.com) is a Verisign Secured
site. But it's still the sort of difference that
few people will notice. - The remaining screens in the phishing attack
collect and harvest information.
16Association of Credit Union Senior Officers
- Phishing CITI - Report October 24, 2005
- This example proves conclusively that following
links in unsolicited e-mails is unadvisable. - Even the normal HTTPS facilities, valuable as
they may be, are not proof that a site is what
you think it is. - If you need to access one of your financial
accounts, log into it through your normal
bookmarks or by typing the URL.
17Association of Credit Union Senior Officers
- Popular Method of Phishing Cross Site Scripting
and Open Redirect URLs - Fraudsters detect and exploit opportunities to
run their frauds on the financial institutions
own sites. - Taking advantage of mistakes in applications and
web site management, fraudsters have been able to
run phishing scams on sites belonging to Visa,
MasterCard, SunTrust, Charter One, and Citizens
Bank.
18Association of Credit Union Senior Officers
- Popular Method of Phishing Cross Site Scripting
and Open Redirect URLs - Typically this has been achieved through use of
cross site scripting and redirection URLs present
on financial institutions sites. - Open redirects found on financial web sites are
liable to be exploited by fraudsters to create a
link to their site via the open redirect on the
credit unions web site. This makes the link look
genuine, as it will appear to point to a page on
the credit unions web site and is particularly
plausible if the credit unions site is served
using SSL, as the credit unions SSL certificate
will be used. - When a user clicks on the link, they may be
unaware that they have been redirected to the
phishing site.
19Association of Credit Union Senior Officers
- Popular Method of Phishing Example of an ecard
scam that is trickier than most phishing. - The ecard looks like it comes from Hallmark and
asks you to download an attachment to pick up
your ecard. However, the attachment isn't really
an ecard -- it's a Trojan. - This particular Trojan then waits for you to sign
onto AOL. If and when you do, it displays a
pop-up window that looks like an AOL form, but
asks you to verify/update your AOL billing info
by providing your credit card, checking account
info, and Social Security number. -
20Association of Credit Union Senior Officers
- Fair Credit Report Act FREE Credit Report Scams
- An amendment to the Fair Credit Reporting Act
requires each of the nationwide consumer
reporting companies to provide consumers with a
free copy of their credit report upon their
request, once every 12 months. - The three companies have set up one central
website, toll-free telephone number, and mailing
address through which a person can order a free
credit report. -
21Association of Credit Union Senior Officers
- Fair Credit Report Act FREE Credit Report
Scams - The Federal Trade Commission (FTC), the nations
consumer protection agency, wants you to know
that, if you want to order your free annual
credit report online, there is only one
authorized website annualcreditreport.com. - To Order Your Free Annual Credit Report
- Visit annualcreditreport.com
- Call toll-free 1-877-322-8228
- Mail your completed Annual Credit Report Request
Form toAnnual Credit Report Request
ServiceP.O. Box 105281Atlanta, GA 30348-5281 -
22Association of Credit Union Senior Officers
- Fair Credit Report Act FREE Credit Report
Scams - These sites often look like the official site at
annualcreditreport.com. - Some use terms like free report in their names
others have website names that purposely misspell
annualcreditreport.com in the hope that you will
mistype the name of the official site. - Some of these imposter sites direct you to
other sites that try to sell you something or
collect your personal information. - To learn about spam or report an occurrence visit
www.ftc.gov/spam -
23 24Association of Credit Union Senior Officers
- Malware
- Malware is a type of software designed to take
over and or damage a computer user's operating
system, without his or her knowledge or approval.
- Once installed, it is often very difficult to
remove, and depending on the severity of the
program installed, its handiwork can range in
degree from the slightly annoying (such as
unwanted pop up ads while a user is performing
regular computing tasks on or offline), to
irreparable damage requiring the reformatting of
one's hard drive, since much of malware is poorly
written. -
25Association of Credit Union Senior Officers
- Examples of Malware Backdoor
- A backdoor is a piece of software that allows
access to the computer system bypassing the
normal authentication procedures. Based on how
they work and spread, there are two groups of
backdoors. - The first group works much like a Trojan, i.e.,
they are manually inserted into another piece of
software, executed via their host software and
spread by the host software being installed. - The second group works more like a worm as they
get executed as part of the boot process.
26Association of Credit Union Senior Officers
- Examples of Malware Dialer
- A dialer is a program that either replaces the
phone number in a modem's dial-up connection with
a long-distance number, often out of the country,
in order to run up phone charges on pay-per-dial
numbers, or dials out at night to send keylogger
or other information to a hacker.
27Association of Credit Union Senior Officers
- Examples of Malware Keylogger
- A keylogger is software that copies a computer
user's keystrokes to a file, which it may send to
a hacker at a later time. - Often the keylogger will only "awaken" when a
computer user connects to a secure website, such
as a bank. It then logs the keystrokes, which may
include account numbers, PIN's and passwords,
before they are encrypted by the secure website.
28Association of Credit Union Senior Officers
- Examples of Malware Browser Hijacker
- A browser hijacker is any program designed to
alter a computer user's browser settings. - These changes can sometimes come in the form of
new web sites added to the user's bookmarks the
replacement of his or her home page to one set by
the author or, in the worst case scenario, the
browser actually being redirected to various URLs
of the author's choosing when certain addresses
are typed or found in a search engine results
page.
29Association of Credit Union Senior Officers
30Association of Credit Union Senior Officers
- Pharming
- Pharming is the exploitation of a vulnerability
in the DNS server software that allows a cracker
to acquire the Domain name for a site, and to
redirect that website's traffic to another web
site. - DNS servers are the machines responsible for
resolving internet names into their real
addresses the "signposts" of the internet.
31Association of Credit Union Senior Officers
- Pharming
- The domain name server acts as a "phone book" to
associate the domain name of a website with its
IP Address ("resolving the domain name"). - If the web site receiving the traffic is a fake
web site, such as a copy of a bank's website, it
can be used to "phish" or steal a computer user's
passwords, PIN number or account number. is
ignoring warnings about invalid server
certificates.
32Association of Credit Union Senior Officers
-
- Web site Page Hijacking
- A Linux web server running Apache and Open_SSL in
the summer of 2004, it was patched only up to
about 2000 levels. The web server was hosting
several websites, including the webpage of our
client (a Credit Union). - One night, the website was defaced, and the page
put up in its place proclaimed an end to Israeli
terrorism and a desire for Palestinians to have
their own country.
33Association of Credit Union Senior Officers
-
- Through subsequent research on the group that
claimed responsibility for the defacing it was
learned that - The website was defaced by a worm that exploits a
known vulnerability in open source software. - The software that was exploited is often included
in a standard Linux server running Apache. - The website would not have been defaced if basic
patch management practices were followed.
34- WHAT IS BEING DONE
- TO COMBAT THE THREATS?
35Association of Credit Union Senior Officers
- Single Sign On and a Federated System
- Federated Identity or Identity Federation is a
new approach to extending the reach of existing
single sign-on systems through a secure exchange
of user data among cooperating organizations,
whether within a company or between companies. - Federation enables a seamless experience for the
user across multiple services, gives companies
better control over their user identities, and
enhances security by reducing the number of
places where the same user needs to be managed. - Single sign will still include at least two
factor authentication.
36Association of Credit Union Senior Officers
37Association of Credit Union Senior Officers
- Some Links to consider upon further research
- RUTHERFORD, N.J. (9/27/05)--Credit Unions'
Virtual Assistant (CUVA) and Green Armor
Solutions are coming together to provide credit
unions with an anti-phishing system. - Identity Cues combines technology and psychology
to combat phishing, pharming and other forms of
online fraud (Business Wire Sept. 21). - "Identity Cues makes it obvious to users whether
they are using a credit union's legitimate
website or a phony website set up to enable
fraud. It also integrates with online banking
applications and does not interfere with the
online banking process.
38Association of Credit Union Senior Officers
- Some Links to consider upon further research
- According to Green Armor, Identity Cues uses
easily recognizable visual cues (such as colored
letters) during every login for users to quickly,
and even subconsciously, recognize if the site is
genuine. - Cues are displayed as users type their usernames
and passwords. They vary between users but are
identical on each login for any particular user. -
39Association of Credit Union Senior Officers
- Vendors in News - CYOTA
- In March, a Pennsylvania Credit Union started
rolling out a two-factor authentication
technology from Cyota Inc. that analyzes and
scores risks on individual online banking
transactions. The scoring is based on criteria
such as the end user's computer, IP address,
geographic location and transaction history. - Users trying to conduct online banking
transactions that the system flags as being high
risk are authenticated via telephone calls or a
challenge-and-response process. -
40Association of Credit Union Senior Officers
- Vendors in News - CYOTA
- The cost of implementing PassMark's technology
for a bank with 50,000 online users is 1 per
user annually, said Steve Klebe, a vice president
at the Redwood City, Calif.-based vendor. - For larger banks, the yearly per-user cost can be
less than the price of a single postage stamp, he
added. Cyota's technology also costs less than 1
per user annually, according to the New
York-based company. - In contrast, token-based authentication can
easily cost up to 10 per user each year. Its
cost and complexity tends to limit the use of
tokens to high-value transactions or internal
applications. -
41Association of Credit Union Senior Officers
- Vendors in News Digital Insight
- The Digital Insight, a provider of outsourced
Internet banking services, plans to soon start
offering multifactor authentication capabilities
based on technology from TriCipher Inc. in San
Mateo, Calif. - TriCipher lets consumers use their computers as
an authentication credential when conducting
online transactions or store portions of their
credentials on personal devices such as MP3
players. -
42Association of Credit Union Senior Officers
- Vendors in News L9.com
- Safe2Login acts as a third-party trust authority
employing mutual authentication technologies a
multifactor positive authentication process
coupled with the ability to authenticate the
banking server to the customer. - According to Safe2Login The recent NCUA and FFIEC
Agencies guidance mandates a need to reliably
authenticate customers and provide defense
against Phishing and Pharming by verifying that
the customer is in fact communicating with the
correct banking server, not a spoofed site. - Mutual Authentication is the methodology required
to meet these goals. -
43Association of Credit Union Senior Officers
- Vendors in News L9.com
- L9.coms Safe2Login authentication solution was
the recipient of the 2005 CUNA Technology Council
Future Forum Best of Show" award. - Mutual Authentication is a process whereby
customer identity is authenticated and the target
Web site is authenticated to the customer. - Currently, most credit unions do not authenticate
their Web sites to the customer before collecting
sensitive information. Credit Unions can aid
customers in differentiating legitimate sites
from spoofed sites by authenticating their Web
site to the customer. -
44Association of Credit Union Senior Officers
- Vendors in News L9.com
- Safe2Logins customer verification process is
classified as a layered Positive Verification
process where Safe2Login, acting as a trusted
third-party, ensures that material information
provided by an applicant during login matches the
information supplied during the secure
registration process. - The Safe2Login multifactor authentication process
requires that users know several pieces of
information they supply to the system in a way
that defeats "keyloggers." - This provides the Credit Union with an increased
level of confidence that the customer is who they
say they are. -
45Association of Credit Union Senior Officers
- Vendors in News - Netcraft
- Netcraft can perform an automatic search of a
customers web sites to scan for possible
redirection URLs in use, on a daily basis,
thereby promptly trapping redirects introduced by
inadvertent web design and application
development. - www.netcraft.com
-
-
46Association of Credit Union Senior Officers
- HOW TO PROTECT YOUR WEB SITE
47Association of Credit Union Senior Officers
- Protect your web site
- Purchase and maintain all domain names that
resemble the credit unions web site address. - Ensure domain names are registered to the credit
union CEO. - Review both Admin and Technical contact
- Secure User ID and password.
48Association of Credit Union Senior Officers
- Protect your web site
- Periodically change password and verify account
information to ensure current. - Ensure a documented procedure is in place for
this to occur. Do not leave it up to one
employee. - Change all password information upon employee
termination or absence.
49Association of Credit Union Senior Officers
- Protect your web site
- Review web site daily to ensure pages have not
been compromised. - Do not give web host provider or designers
permission to make any changes to Domain records
for contact or DNS information. - Remove all detailed contact information from web
site.
50Association of Credit Union Senior Officers
- Protect your web site
- Ensure web site and other on-line service
providers perform security patches as threats are
identified. - Review security reports and incidents from web
host company and all other on-line services
providers. - Contract a third party to perform remote
vulnerability assessments if they are not
periodically performed by the service provider. - Make sure objective third party performs RVAs.
51Association of Credit Union Senior Officers
- Protect your web site
- Ensure multiple employees or groups are receiving
alerts on latest Internet security threats. - Ensure you have identified all vendors involved
in your Internet services. - Follow risk assessment process including the
collection, retention and disposal of membership
information.
52Association of Credit Union Senior Officers
- HOW TO EDUCATE YOUR MEMBERS
53Association of Credit Union Senior Officers
- Educate your members
- Provide written guidance upon entering web site.
- Fraud prevention link to correct Free Credit
Report. - Link to latest threats.
- Advise them to not work with their accounts on
shared computers. Stay away from library and
other public connections. - Change passwords frequently.
- Consider implementing a maintenance/security
board to notify your members of any threats,
periodic maintenance, etc. - Consider a hot-line.
54Association of Credit Union Senior Officers
- Educate your members
- Provide members guidance for reporting Internet
Identity theft. - The Internet Fraud Complaint Center (IFCC) is a
partnership between the Federal Bureau of
Investigation (FBI) and the National White Collar
Crime Center (NW3C). - IFCC's mission is to address fraud committed over
the Internet. For victims of Internet fraud, IFCC
provides a convenient and easy-to-use reporting
mechanism that alerts authorities of a suspected
criminal or civil violation. - www.ifccfbi.gov/index.asp
55Association of Credit Union Senior Officers
- Educate your members
- Provide members guidance for learning about and
reporting SPAM. - This website has information about the Federal
Trade Commission's recent law enforcement actions
against deceptive commercial email and spammers'
responsibilities under the CAN-SPAM law. - In the "For Consumers" section, you'll find tips
on how to reduce the amount of spam email in your
in-box. - www.ftc.gov/spam
56Association of Credit Union Senior Officers
- Other Helpful Websites
- Federal Computer Incident Response Center (Fed
CIRC) _at_ - http//www.fedcirc.gov
- Federal Financial Institution Examination Council
_at_ http//www.ffiec.gov/ffiecinfobase/index.html - US Computer Emergency Readiness Team (US-CERT) _at_
http//www.us-cert.gov
57 58Association of Credit Union Senior Officers
- Buckley Technology Group
- Kristina Buckley, President
- kmb_at_buckleytechgroup.com
- www.buckleytechgroup.com
- 781.829.9934
- 130 Till Rock Lane, Norwell, MA. 02061
-
- Preferred Information Security Business Partner
- Netivity Solutions
- www.netivitysolutions.com
- Skip Tappen
- Vice President and General Manager
- Netivity Solutions
- 271 Waverley Oaks Road
- Waltham, MA 02452
- 781-472-3466