Corporate Account Takeover

By: (CISA, CISSP, CRISC)

Publication: The Colorado Banker , September/October 2012

Colorado Banker Sept/Oct 2012 Earlier this year, just one hour before a bank was scheduled to educate their Board of Directors on the concerns of corporate account takeover, the bank’s call center received a call from one of their customers asking why the bank’s Internet Banking website was down. When the customer attempted to connect, they received a message stating the "Site was down for repair, check back in 24 hours." The bank verified the site was up, and upon further investigation found the customer’s machine had been compromised and fraudulent transactions were being created.

Does this sound familiar? According to a survey conducted by Financial Services Information Sharing and Analysis Center (FS-ISAC), attacks targeted at bank customers where hackers attempted to take over customer banking accounts was greater in 2011 than in the two previous years put together. They go on to say about a third of these attacks were successful.

What is Corporate Account Takeover?

Corporate account takeover, or CATO, is a term used for electronic crime where cyber criminals gain access to business customer online banking accounts and send fraudulent wire and ACH transactions to accounts controlled by thieves.

What Can Our Bank do to Protect Our Customers?

Corporate account takeover is particularly tricky for banks, since, in many cases, the customers are the ones getting breached. Below is a general list of 10 good security suggestions you can use to help protect your customers from these types of attacks. This list is not designed to be exhaustive, but can be used as a minimal guide.

  1. Conduct a formal risk assessment and control evaluation periodically;
  2. Based on the risk assessment, develop and approve policies and procedures as part of a layered security program;
  3. Continuously educate employees, particularly those using Internet banking systems;
  4. Educate customers, and suggest customers perform a related risk assessment and control evaluation periodically;
  5. Ensure basic security controls are in place, such as: malicious software protection, firewall, patch management, dual control, encryption, intrusion detection, web filtering, email filtering, etc.;
  6. Ensure appropriate authentication/authorization controls are in place, such as: multi-factor authentication, two-way authentication, and out-of-band authentication;
  7. Ensure a process is in place to detect anomalies and respond to suspicious activity;
  8. Implement a fraud-detection system;
  9. Develop an incident response plan;
  10. Test and review processes and controls;

Resources:

  • National Cyber Security Allinace - NCSA’s mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school. This website provides information and educational programs for protecting the technology individuals use, the networks they connect to, and their digital assets. http://staysafeonline.org/
  • BBB Data Security - The Better Business Bureau (BBB) created this website specifically to educate small businesses on the most common data security issues they face. Data security guidelines and suggestions are presented to help improve the security posture of small businesses. http://www.bbb.org/data-security/
  • OnGuardOnline - This website was created by the federal government to help people be safe, secure, and responsible online. This website is part of the National Initiative for Cybersecurity Education. http://onguardonline.gov/
  • US-CERT, Cyber Security Tips - This website is published by the United States Computer Emergency Readiness Team (US-CERT) and describes and offers advice about common security issues for non-technical computer users. http://www.us-cert.gov/cas/tips/
  • Texas Bankers Electronic Crimes Task Force (ECTF) - This site was created to promote awareness and provide information to bankers on cyber related crimes and risk management practices to help protect banks and their customers. http://www.ectf.dob.texas.gov/index.htm
  • Sound Business Practices for Companies to Mitigate Corporate Account Takeover - This document was created by the National Automated Clearing House Association (NACHA) to help companies mitigate the risk of corporate account takeover. The document was developed for companies of all sizes and outlines business processes to consider when reviewing and implementing security procedures. https://www.nacha.org/userfiles/File/Sound%20Business%20PracticesBusinessesFinal042811.pdf
  • Samll Business Information Security: The Fundamentals - This guide was published by the National Institute of Standards and Technology (NIST). The guide identifies recommended practices to improve information security in small businesses. http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf