1. Faces of Fraud: What Every Institution Should Know Presented by: Tom Field Editorial Director Information Security Media Group: BankInfoSecurity.com CUInfoSecurity.com GovInfoSecurity.com HealthcareInfoSecurity.com

2. About Information Security Media Group Publisher of BankInfoSecurity.com, CUInfoSecurity.com, GovInfoSecurity.com and HealthcareInfoSecurity.com Focused on providing content about information security specifically for the private and public sectors Daily articles, interviews, opinions, agency alerts, white papers More than 100 educational webinars Learn more: https://www.bankinfosecurity.com/checkoutMemberships.phphttps://www.bankinfosecurity.com/checkoutMemberships.php

3. Agenda Research Results Faces of Fraud: – Skimming; – POS; – ACH. Solutions Resources Questions?

4. About Fraud… Let’s Play Fraud Jeopardy! Answer: 45

5. About Fraud … Question: How many skimming incidents have their been so far in 2010?

6. About Fraud … Answer: – Phishing! – Smishing – Vishing! –(Oh, my …!)

7. About Fraud … Question: What do you call socially-engineered attacks against businesses via: e-mail Telephone Text message

8. About Fraud… Answer: 130,000,000

9. About Fraud… Question: How many accounts were impacted by the Heartland Data Breach? Other numbers: 3,000 – estimated # of institutions $60 M – proposed Visa settlement ?? – amount of time and resources spent replacing cards, monitoring accounts, reassuring customers

10. The State of Banking Information Security 2010 10

11. About the Survey: Methodology Survey administered electronically in early 2010. Banks: 43% Credit Unions: 35% $2B+ Assets: 26% $500M - $2B Assets: 17% < $500M Assets: 41%

12. 2010 Hot Topics Fraud: Fighting Back Beyond Heartland: Secure Payments New Services/Technologies: What’s hot, what’s now?

13. Fraud: Fighting Back Which types of fraud have you experienced over the past year?

14. Fraud: Fighting Back Which area of fraud do you feel best prepared to prevent in 2010?

15. Beyond Heartland The Heartland Impact 1 Year Later Biggest breach ever recorded Put industry on notice: Processors are the new target Raised key question: ‘What does PCI compliance mean?’

16. Beyond Heartland What is the likelihood of another major third-party data breach in 2010?

17. Beyond Heartland What is your level of confidence that PCI DSS can help prevent data breaches?

18. Beyond Heartland Several emerging technologies have been discussed as potential solutions for secure payments. Which is your preference?

19. Emerging Tech: What’s hot? It’s About So Much More than Mobile Consumerization of banking; Role of social networks; Need for policies, secure solutions

20. Emerging Tech: What’s hot? Which social networking sites do you currently employ for marketing purposes?

21. Emerging Tech: What’s hot? Does your organization have a social networking policy for employees?

22. Emerging Tech: What’s hot? Do you monitor your employees ’ social networking activity?

23. “What Could Make THE Difference…” What one factor could have the biggest positive impact on information security in your organization in 2010? Regulatory compliance Emerging technologies Policies and procedures Training and education Employee/Customer awareness

24. The Answer What one factor could have the biggest positive impact on information security in your organization in 2010?

25. The Faces of Fraud 2010 25

26. Fraud Trends: 2010 Skimming Beyond the ATM Pay-at-the-pump, POS skimming incidents on the rise POS Attacks Swapping out POS devices, i.e. Hancock Fabrics Intercepting data in transit, i.e. Julie’s Place ACH/Wire (aka Corporate Account Takeover) Banking credentials stolen Huge sums transferred before anyone notices Businesses, banks – even churches – at odds

27. Skimming “The small business owner isn't even expecting these kinds of attacks, and isn't prepared for them.” - Mike Urban, FICO

28. Skimming Types of Attacks: ATM – at bank or retail outlet; Hand-Held – favorite of rogue wait staff;

29. Skimming Types of Attacks (cont.): Self-Service – Pay at the pump; POS Tampering – Swap out or infect POS device.

30. POS Attacks "It's fairly easy in many cases. They'll come in, distract personnel and replace the equipment." - Dr. Anton Chuvakin

31. POS Attacks Hancock Fabrics: Baldwyn, MS retail chain PIN units stolen, replaced; Minimum: 140 reports of fraud nationwide; One OK. Bank replaced 1000 cards. Risk: Real people lose real money.

32. POS Attacks Julie’s Place: Tallahassee, FL restaurant Data hacked between POS and processor; Minimum: 100 accounts, $200,000; Expert: “So now the hackers have moved to capture the data while it is in transit.”

33. ACH/Wire Fraud “Talk is cheap, as we say in Texas.” - Troy Owen, fraud victim

34. ACH/Wire Fraud What the Fraudsters are doing: Infecting corporate computers used for ACH transactions; Stealing banking credentials; Creating unauthorized transfers – 100’s of 1,000’s of dollars before noticed. Did you know? Corporate Accounts are NOT Protected from Fraud Losses!

35. ACH/Wire Fraud Whom the Fraudsters Target: I. PlainsCapital Bank v. Hillary Machinery Inc. Cybercriminals transferred more than $800,000 from Hillary’s PlainsCapital account via ACH and wire transfers. II. Experi-Metal vs. Comerica Bank Phishing e-mails to Comerica customers allowed hackers to access Experi-Metal’s online bank account and drain ~ $550,000. III. Village View Escrow Inc. and Professional Business Bank Hackers broke into Village View’s network, stole bank credentials and sent $465,000 in wire transfers out of the country. IV. Patco vs. Ocean Bank Patco’s corporate account was raided after cyber thieves took over the company’s online banking credentials. In six days, $588,000 was drained and moved via money mules in the U.S.

36. ACH/Wire Fraud Latest Victim: Catholic Diocese of Des Moines $600,000 stolen; $180,000 recovered. "[The victims] don't have the same level of scrutiny that the major organizations go through, and they are less protected, less aware of the dangers." – Cris Roberts, One World Labs

37. Fraud Solutions Employee Training Be aware of latest threats – skimming, POS, ACH & others. Customer Awareness Not just consumers, but businesses – Ensure safe practices, especially when online. Enhanced Monitoring If it looks suspicious, investigate. Encourage employees to do the same.

38. New Fraud Survey The Faces of Fraud: Fighting Back Gauge the scope of the multi-faceted fraud threat to U.S. banking institutions Measure the industry’s preparedness for evolving threats Identify specific strategies and solutions employed by banking/security leaders to fight fraud Predict the emerging technologies and strategies where institutions are investing their resources http://www.bankinfosecurity.com/surveys.php?surveyID=9

39. Resources News ID Theft: Consumer Education Is Key http://www.cuinfosecurity.com/articles.php?art_id=2834 ACH Fraud: 1 Year Later http://www.cuinfosecurity.com/articles.php?art_id=2829 New Fraud Spree Investigated http://www.bankinfosecurity.com/articles.php?art_id=2804 6 Steps to Reduce Online Fraud http://www.bankinfosecurity.com/articles.php?art_id=2375

40. Resources Podcasts Partnering to Protect Privacy: Brian Dean of KeyCorp http://www.bankinfosecurity.com/podcasts.php?podcastID=673 Banking Malware: End Users are ‘Achilles Heel’: Rocco Grillo of Protiviti http://www.bankinfosecurity.com/podcasts.php?podcastID=659 Insider Threat: ‘You Can't Stop Stupid’: Dr. Eric Cole, author http://www.bankinfosecurity.com/podcasts.php?podcastID=622

41. Resources Online Webinar Catalog http://docs.bankinfosecurity.com/files/handbooks/Catalog-2010/

42. Questions Tom Field Twitter @Securityeditor LinkedIn Tom Field E-mail tfield@ismgcorp.com Phone (603) 793-6127tfield@ismgcorp.com