A Regulator’s Perspective of Best Practices in Combating Cybercrime - Transcript

Executive Fraud Forum
October 30, 2013

Tony DaSilva, senior examiner
Federal Reserve Bank of Atlanta

Blake McDaniel: Hi. I'm Blake McDaniel at the Federal Reserve Bank of Atlanta. We're here at the Executive Fraud Forum, and I'm joined right now by Tony DaSilva, senior examiner. How are you, Tony?

Tony DaSilva: Doing well, thank you.

McDaniel: Glad to have you here with us today. We've got a few questions that we want to ask you about fraud. And I want to start it out with: what would you say is the biggest concern that financial institutions should have or that examiners have with regard to cybercrime?

DaSilva: Unfortunately, it would be a multiple-choice question. It would be all of the above. Cybercrime is probably number two or number three in community banks' and large bank organizations' concerns these days because it is evolving and it gets worse and worse. But if we were to narrow it down, I would say denial-of-service attacks and distributed denial-of-service attacks would be the top one or two, and then, of course, identity theft and account takeovers. Those are the most frequent and most recent cyberattacks that we're most concerned with because they, number one, affect the bank's reputation, their website's availability, and then when you talk about the ability to take over a corporate account or a customer's account and send fraudulent wires or ACH files—that could be a significant loss to the banks, so those are our primary concerns. But, again, all of the above. It is just a changing landscape, constantly.

McDaniel: Right, well, so given the fact that there are so many different types of cybercrimes that financial institutions have to look out for, what can they do to protect themselves and protect their customers from cybercrime?

DaSilva: Well, the most important thing is their IT staff. Well, let me backtrack. I think even more important is that the board and senior management understand these threats and the threats to the institution. Number two, that they provide the appropriate resources to their staff, to their IT area, to their operations area, so that they can mitigate and attempt to control these, to try to stay a step ahead of the cybercriminals, very difficult to do. There are a lot of firms out there, Internet service providers that have solutions, cloud solutions, and other solutions that may help mitigate [risks]—but [it's critical] to stay on top of these things. And of course there's guidance that the FFIEC [Federal Financial Institutions Examination Council] and other regulatory agencies have provided to the institutions, [and] it's very important that banks adhere to that guidance to protect themselves.

McDaniel: So it's really an evolving thing. As the cybercrimes advance, then the financial institutions need to advance to stay ahead of them, too.

DaSilva: Absolutely, and they've got a lot of good partners in the industry, as well as the FBI and other agencies that are collaborating with the institutions to help avoid the possibility of potential losses.

McDaniel: Well, it sounds like there is a lot of help out there for financial institutions looking to mitigate fraud.

DaSilva: There are, but, more importantly, the current guidance that's out there...that was effective January 2012 from the FFIEC on account takeovers—[it] is very, very important that our institutions follow that guidance. It's a three-pronged approach to mitigating account takeover risk, or that type of cybercrime. Number one is doing an effective risk assessment of all your channels that you allow your customers to transact business electronically with your institution, understanding where those high-risk transactions are. And then, when you identify those high-risk transactions—as an example, ACH or wire transfer—then putting layered security in place. Not just multifactor authentication but other means of protecting your institution. Anomaly detection, where you're looking at your customer's behavior, you're looking at that wire transfer—does it make sense, have they ever sent a wire to the particular bank? To that institution overseas? [Look at] the dollar amount of that wire, even the account number and the name of that person. Same thing with an ACH file—dissecting that ACH file to see is there's something that looks suspicious with that file.

And then the third component is customer education, and I [would] add to that your customer contract or agreement. Renegotiating that, understanding that your customers ought to understand their responsibility in that transaction so it's not always the bank's responsibility.

McDaniel: Interesting. So I'm going to jump back. You mentioned previously that account takeovers and denial-of-service attacks were some of the more recent examples. Could you walk us through one of those examples?

DaSilva: Exactly. We've had institutions where there has been a denial-of-service attack and...they have an account takeover that's happening at the same time. And the theory is that they're masking through...the distributed denial-of-service attack that fraudulent wire transfer or account takeover that's taking place, or ACH. We've also had just the basic—I hate to say "basic" because it's very sophisticated—account takeover, where a cybercriminal has gone into the customer's account through keylogging software—Zeus, spyware—and understood exactly what the customer's doing from the behavioral perspective. They know that they send a payroll file out on the 13th of every month or two days before the end of the month. The file is a million to two million dollars, whatever the dollar amount, the number of transactions, the institutions that those credits are going to. And they send a bogus or fraudulent file to their processor, or to the Federal Reserve or to EPN, and they process that file through their institution, via their institution. And we've had several of those incidents, and the customers have lost the money or the bank has settled out of court and the bank has lost the money.

McDaniel: So it sounds like these cybercriminals are very smart in the way they go about these things, either trying to make these transactions look like legitimate transactions or trying to divert the resources of the bank towards, you know, other things and then committing the crime or the fraud in a different place.

DaSilva: Absolutely. They're professionals. I mean the problem that most of us have is we think of these cybercriminals as people who are working out of their garages or basements. These are companies. These are organized crime organizations. Criminals that in many cases, believe it or not, are working out of high rises in cities in Eastern Europe, all over the world, Asia, Africa, and it's a business, and they're very professional and they have the resources—in fact, at times, better resources, better-educated resources, even than our institutions from a cybercrime prospective.

McDaniel: Wow, so that's a lot to think about in terms of what a financial institution needs to do to sort of, you know, avert any of these cybercrime activities.

DaSilva: Absolutely. It's a partnership between financial institutions, law enforcement, and their Internet service providers, and their third-party processors that they use.

McDaniel: Well, I know you've given me a lot to think about, so I want to thank you for being here, Tony, and I want to thank you for being with us.