1 ID Management in Financial Services – May 2005

Online Fraud Trends – Staying Ahead of the

Threats

Matthew Biliouris, Information Systems Officer – NCUA

2 ID Management in Financial Services – May 2005

Credit Union Industry Statistics

0

1,000

2,000

3,000

4,000

5,000

6,000

Website Type

Interactive

Non-Interactive

Total

3 ID Management in Financial Services – May 2005

Credit Union Industry Statistics

-20.0%

-10.0%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

Interactive Non-Interactive Total

Website Growth

Jun-99

Dec-99

Jun-00

Dec-00

Jun-01

Dec-01

Jun-02

Dec-02

Jun-03

Dec-03

Jun-04

Dec-04

4 ID Management in Financial Services – May 2005

Credit Union Industry Statistics

Percentage of FICUs By Website TypeDecember 31, 2004

41.2%

14.3%3.7%

40.7% None

Informational

Interactive

Transactional

5 ID Management in Financial Services – May 2005

Credit Union Industry Statistics

FICU Assets By Website TypeDecember 31, 2004

3.5% 4.3%

90.0%

2.2%

None

Informational

Interactive

Transactional

6 ID Management in Financial Services – May 2005

Risk Assessment ProcessRisk Assessment Process

2. Understand2. UnderstandRisksRisks

3. Prioritize Risks3. Prioritize Risks

4. Develop & Implement 4. Develop & Implement Action PlansAction Plans

5. Monitor5. Monitor

1. Identify Risks1. Identify Risks

7 ID Management in Financial Services – May 2005

Security Programs

Gramm-Leach-Bliley Act – 501(b)– Outlines Specific Objectives– Requires NCUA establish standards for

safeguarding member records

8 ID Management in Financial Services – May 2005

Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access

Specifically Stated in §748.0(b)(2)

9 ID Management in Financial Services – May 2005

10 ID Management in Financial Services – May 2005

Security Programs

Appendix A – Guidelines for Safeguarding Member Information– Involvement of Board of Directors– Assess Risk– Manage & Control Risk– Oversee Service Providers– Adjust the Program– Report to the Board

11 ID Management in Financial Services – May 2005

Security Programs

Response Program Guidance– Increasing Number of Security Events– Congressional Inquiries– GLBA Interpretation– FFIEC Working Group– Revise Part 748-Add New Appendix B

12 ID Management in Financial Services – May 2005

Security Programs

Credit Unions Must Have Process in Place to:– Ensure Security & Confidentiality of Member

Records– Protect Against Anticipated Threats or Hazards– Protect Against Unauthorized Access– Respond to Incidents of Unauthorized

Access to Member Information

13 ID Management in Financial Services – May 2005

14 ID Management in Financial Services – May 2005

Security Programs

Appendix B – Guidance on Response Programs– Components of a Response Program

Assessing Incident Notifying NCUA/SSA Notifying Law Enforcement Agencies Containing/Controlling Incident Notifying Affected Members

15 ID Management in Financial Services – May 2005

Security Programs

Appendix B – Guidance on Response Programs– Content of Member Notice

Account/Statement Review Fraud Alerts Credit Reports FTC Guidance

16 ID Management in Financial Services – May 2005

PART 748 APPENDIX B

Conflict with State Law – e.g., California Notice of Security Breach statute– Requires notice to California residents when

unencrypted member information is or may have been acquired by unauthorized person

– Gramm Leach Bliley Preemption Standards: no intent to preempt where state law provides greater consumer protections

17 ID Management in Financial Services – May 2005

NCUA Expectations

Potential Questionnaire:– Incorporated into Overall Security Program– Escalation Process / Incident Response– Review of Notices – Attorney Review?– Enterprise Wide Approach– Reporting to Senior Management– Member Outreach / Awareness Programs– Employee Training Programs

18 ID Management in Financial Services – May 2005

“Phishing”

19 ID Management in Financial Services – May 2005

“…The use of digital media also can lend fraudulent material an air of credibility. Someone with a home computer and knowledge of computer graphics can create an attractive, professional-looking Web site, rivaling that of a Fortune 500 company…”

Arthur LevittArthur Levitt

Former Chairman of the SECFormer Chairman of the SEC

Quotes

20 ID Management in Financial Services – May 2005

Phishing 101

Phishing uses e-mail to lure recipients to bogus websites designed to fool them into divulging personal data.

21 ID Management in Financial Services – May 2005

Phishing 101

E-mailSpoofed addressConvincing Sense of urgencyEmbedded link (but not always)

22 ID Management in Financial Services – May 2005

Phishing Trends

Anti-Phishing Working GroupIndustry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing. APWG Members- Over 400 members- Over 250 companies- 8 of the top 10 US banks- 4 of the top 5 US ISPs- Over 100 technology vendors- Law enforcement from Australia, CA, UK, USA

23 ID Management in Financial Services – May 2005

Phishing Trends

Source: APWG Phishing Attach Trends Report - March 2005

24 ID Management in Financial Services – May 2005Source: APWG Phishing Attach Trends Report – March 2005

Phishing Trends

25 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)

26 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)

27 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)

28 ID Management in Financial Services – May 2005Source: Anti-Phishing Working Group Phishing Archive

Examples (June 2004)

29 ID Management in Financial Services – May 2005

Examples (March 2004)

Source: Anti-Phishing Working Group Phishing Archive

30 ID Management in Financial Services – May 2005

Examples (March 2004)

Source: Anti-Phishing Working Group Phishing Archive

31 ID Management in Financial Services – May 2005

Examples (May 2004)

Source: Anti-Phishing Working Group Phishing Archive

32 ID Management in Financial Services – May 2005

Training / Policy Development

Awareness

Handling complaints & reports of

suspicious e-mails/sites

Protect on-line identity of credit union

Response Plan

Phishing Action Plans – Employee Education

33 ID Management in Financial Services – May 2005

Communication Methods

Internet Banking Agreements

Newsletters

Statement Stuffers

Recordings when on “hold”

Website (FAQs / Advisories / Links)

Phishing Action Plans – Member Education

34 ID Management in Financial Services – May 2005

Action Plan Ideas - Education

35 ID Management in Financial Services – May 2005

Action Plan Ideas - Education

36 ID Management in Financial Services – May 2005

Action Plan Ideas - Education

37 ID Management in Financial Services – May 2005

Content

We will never ask for xxx via e-mail

We will never alert you of xxx via e-mail

Always feel free to call us at # on statement

Always type in our site URL (see

statement / newsletter / previous bookmark)

Phishing Action Plan Ideas – Member Education

38 ID Management in Financial Services – May 2005

Content (cont’d) Sites can be convincingly copied

Report suspicious e-mails & sites

Where to get more advice on phishing

Importance of patching

How to validate site (via cert or seal)

Where to go for ID theft help

Phishing Action Plan Ideas – Member Education

39 ID Management in Financial Services – May 2005

Considerations:

Keep certificates up-to-date

Practice good domain name controls

Don’t let URLs lapse

Purchase similar URLs / Search for

similar URLs

Phishing Action Plan Ideas – Protection of CU’s Online Identity

40 ID Management in Financial Services – May 2005

NCUA

(8/03) LTR 03-CU-12 Fraudulent Newspaper Advertisements, and Websites by Entities Claiming to be Credit Unions

(04/04) LTR 04-CU-05 Fraudulent E-Mail Schemes

(05/04) LTR 04-CU-06 E-Mail & Internet Related Fraudulent Schemes Guidance

FFIEC Agency Brochure

Phishing Resources

41 ID Management in Financial Services – May 2005

Action Plan Ideas - Education

42 ID Management in Financial Services – May 2005

Action Plan Ideas - Education

43 ID Management in Financial Services – May 2005

Inside the Examiner’s PlaybookInside the Examiner’s Playbook

Think GloballyVendor ManagementSecurity Program

(Part 748)Employee Remote

AccessRisk Assessment

Patch Management IDS/Incident

ResponseVirus Definition

UpdatesBCPFormal Policies

44 ID Management in Financial Services – May 200544

45 ID Management in Financial Services – May 200545

46 ID Management in Financial Services – May 200546

47 ID Management in Financial Services – May 2005

FFIEC IT Handbook

48 ID Management in Financial Services – May 2005

FFIEC IT Examination Handbook

Development & Acquisition

Management

Operations

Outsourcing

Retail Payment Systems

Wholesale Payment Systems

Issued: BCP Information

Security Supervision of

TSPs Audit E-Banking Fedline

49 ID Management in Financial Services – May 200549

50 ID Management in Financial Services – May 200550

51 ID Management in Financial Services – May 200551

52 ID Management in Financial Services – May 2005

Contact Information:

Matthew Biliouris

703-518-6394

matthewb@ncua.gov

Questions??