Category: Financial

New account holders had to be verified to near certainty and screened against the OFAC database and other government watch lists to thwart crooks, scam artists and potential terrorists.

The bank needed a cost-effective and compliance-ready solution through automated ID verification software, a niche IT product that seamlessly works with existing new account procedures to enhance identity safeguards and build a database of documentation showing the bank’s compliance with Section 326, the customer identity regulations in the Patriot Act.

The answer, in this case eFunds’ ID verification system, which came packaged with Scottsdale, AZ-based eFunds’ ChexSystems fraud prevention and risk management solution already employed by Frontier.

The new system could track what records new account reps were pulling for customer verification, allowing Roush to determine which employees are not completing full records checks, or those who aren’t clearing up “false positives” that mistakenly rejected customers.

Bankers Systems acquired Atchley Systems in October 2003 to broaden its Patriot Act compliance offerings.

Sheshunoff Information Services bank compliance consultant Lorraine Hyde believes most banks are largely taking the necessary steps from a “safety and soundness standpoint,” but not just for examinations.

http://www.banktechnews.com/article.html?id=20041101ZV7Q0QP5

The UK payments association Apacs said banks were investigating the technology as one of a range of countermeasures to tackle the epidemic of phishing.

The disclosure follows an attack on NatWest, which forced the bank last week to suspend the ability to make third-party payments for more than two days affecting one million customers.

Tom Salmond, manager of the e-banking working group at Apacs, said the anti-phishing toolbars had been introduced by sites such as eBay and that the same technology could help bank customers.

Banks are beginning to personalise the e-mails they send to customers by including their names and an agreed code-phrase to help customers to identify genuine e-mails from their bank.

In the longer term, the industry is looking to use two-factor authentication to verify customers’ identities.

Barclaycard is trialling a system that uses low-cost card-readers to generate pass-codes from bank cards.

Interim solutions under investigation include proposals to send SMS messages to customers to confirm transactions, and the introduction of pads of one-time user passwords.

A small number of banks have introduced software to detect suspicious transactions generated by phishing attacks, and this is likely to be taken up more widely, Salmond said.

“This kind of solution will be increasingly adopted in the next six- to nine months,” he said.

Banks are also signing up to services which monitor the internet to detect websites which may be attempting to mimic real banking websites, and provide early warnings of the launch of new phishing attacks.

Apacs plans to launch a publicity campaign to alert the public to the dangers of acting as “money mules” for phishing gangs, over coming weeks.

http://www.computerweekly.com/articles/article.asp?liArticleID=135252&liArti%20cleTypeID=1&liCategoryID=6&liChannelID=22&liFlavourID=1&sSearch=&nPage=1#

With this product, Oracle would be used as the consolidation point for offerings from other risk management providers.

On the operational risk side, Oracle has a dashboard product called “Internal Controls Manager” that allows drill-down access to data and events being tracked for regulatory compliance. “It’s a single place to integrate information that’s related to every one of the regulatory mandates, so that you can drill down through the same dashboard in Sarbanes-Oxley information, Basel II information, Patriot Act information, and see the relationships,” says Andrea Klein, vice president of financial services industry marketing for Oracle.

Getting a handle on enterprise risk does more than help satisfy regulatory mandates stemming from Basel II.

“In the same way that the Basel II guidelines are going to make the banks more aware of their capital position so they can manage their money more effectively, you can do that same kind of better management on each one of your corporate accounts,” she says.

http://www.banktech.com/story/news/showArticle.jhtml?articleID=53200242

This fall the Global ATM Security Alliance (GASA) published what it says are the first international cyber security guidelines specifically tailored to cash machines. Experts see new dangers as legacy ATMs running OS/2 give way to modern terminals built on Microsoft Windows.

“The recommendations presented in this manual are essentially designed to provide a common sense approach to the rapidly changing threat model that the introduction to the ATM channel of the Windows XP and other common use operating systems, as well as the TCP/IP network protocol suite, has created,” said the manual’s author, Ian Simpson, in a statement.

The move comes one year after the Nachi worm compromised Windows-based automated teller machines at two financial institutions, in the only acknowledged case of malicious code penetrating ATMs. The cash machines, made by Diebold, were built on Windows XP Embedded, which suffered from the RPC DCOM security hole Nachi exploited. In response to the incident, Diebold began shipping new Windows-based ATMs preinstalled with host-based firewall software, and offered to add the program for existing customers.

Though ATMs typically sit on private networks or VPNs, supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

Last year’s Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn’t processes customer transactions.

The goal of the ATM cyber security best practices document, which has not been made public, and a related white paper developed by GASA, is “to be proactive in fighting what might be the next wave of ATM crime – namely cyber attacks,” said Mike Lee, founding coordinator of the group, in a statement.

GASA’s members include fraud prevention agencies, financial industry associations, the US Secret Service, Visa and MasterCard, and some ATM networks and manufacturers, including Diebold and NCR.

http://www.newsisfree.com/iclick/i,60511486,1393,f/

In 87% of the cases the insiders employed simple, legitimate user commands to carry out the attacks, and in 78% of the incidents, the insiders were authorised users with active computer accounts. Most were motivated by financial gain, with 30% of user organisations realising losses above $500,000.

The report states: “Management attention on financial performance, to the exclusion of good risk management practices, seems to be a recurrent theme in some of the cases in this study.” Reducing the risk of these attacks requires organisations to look beyond their information technology and security to their overall business processes, says the report authors.

The study confirms Gartner research, published in 2003, showing that insiders represent a significant and underappreciated class of threat agent.
Gartner estimates that through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorised use of computers and networks.

The analyst group recommends that financial service providers conduct a confidential inventory of all individuals with the technical skills, means or motivation to damage the company’s systems or misuse information. Firms should then look to reduce or eliminate the threat from these parties, wherever possible, by taking steps such as changing passwords and access rights immediately when an insider’s status changes – for example, when an employee leaves, relationships with auditors or suppliers change or consultants complete a project.

http://www.finextra.com/topstory.asp?id=12404

The principles are intended to guide firms and regulators to maintain high standards of corporate governance and risk management in an environment of rapid IT innovation and a high reliance on external service providers.

The Joint Forum consists of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors.

In summary, regulated entities should:

– Assess whether and how activities can be appropriately outsourced, under the aegis of the board of directors.
– Establish a comprehensive outsourcing risk management program.
– Prevent outsourcing from impeding regulatory supervision or disrupting customer obligations.
– Conduct appropriate due diligence when selecting third-party service providers.
– Use written contracts to govern all material aspects of outsourcing relationships.
– Establish and maintain contingency plans with service providers.
– Ensure that confidential information is protected from unauthorized disclosure.

On the last point, regulators have taken note of the potential vulnerability in having too many banks using too few service providers, or having several banks share a common disaster recovery site.

The report states: “When a limited number of outsourcing service providers (sometimes just one) provide outsourcing services to multiple regulated entities, operational risks are correspondingly concentrated, and may pose a systemic threat.”

The Joint Forum recommends risk mitigation tools including adequate contingency planning by regulated entities, ongoing monitoring and awareness, supervisory programs and risk assessments.

http://www.bankinfosecurity.com/?q=node/view/1593