Dur­ing the sum­mer of 2008, a dif­fer­ent type of cyber­crime was iden­ti­fied — cor­po­rate account takeover. It is cost­ly and ranks among the fastest and most stealthy type of attack. Cyber­crim­i­nals engag­ing in this activ­i­ty sur­rep­ti­tious­ly obtain an entity’s finan­cial bank­ing cre­den­tials, use soft­ware to hijack one of its com­put­ers remote­ly and steal funds from the entity’s bank account, often cost­ing the enti­ty thou­sands of dol­lars.

Accord­ing to David Nel­son, FDIC Cyber Fraud and Finan­cial Crimes Sec­tion spe­cial­ist, small- and mid-size busi­ness­es (SMBs) and their finan­cial insti­tu­tions suf­fered about $120 mil­lion in loss­es due to elec­tron­ic funds trans­fer fraud in the third quar­ter of 2009, up from about $85 mil­lion from two years ear­li­er. Accord­ing to the FBI, Novem­ber 2009 loss­es alone were about $100 mil­lion.

THE CRIME’S COURSE

Although cor­po­rate account takeovers can take dif­fer­ent forms, the dis­cus­sion here pri­mar­i­ly is lim­it­ed to elec­tron­ic funds trans­fer fraud, such as Auto­mat­ed Clear­ing House (ACH) or wire trans­fer. These types of schemes involve three steps:

  1. Illic­it­ly acquire login cre­den­tials. The cre­den­tial com­pro­mise usu­al­ly is accom­plished by using a mali­cious pro­gram dis­trib­uted as an email attach­ment, unin­tend­ed web-brows­ing down­load or file trans­fer of a seem­ing­ly legitimate/safe file. The user inad­ver­tent­ly allows this mali­cious pro­gram, such as a Tro­jan, to be down­loaded and exe­cut­ed, and usu­al­ly is unaware that any­thing mali­cious is occur­ring.
  2. Covert­ly gain unau­tho­rized access to the victim’s com­put­er to avoid the bank’s secu­ri­ty fea­tures, acti­vat­ed when it does not rec­og­nize the login “fin­ger­print.” The cyber­crim­i­nal uses a hack­er tool to hijack the victim’s com­put­er sys­tem, using the sys­tem as a trust­ed source to avoid the secu­ri­ty check of the bank’s login fin­ger­print. This approach allows the crim­i­nal to con­duct fraud­u­lent wire trans­fers out of the vic­tim entity’s bank account.
  3. Trans­fer the victim’s bank funds to an account con­trolled by the cyber­crim­i­nal. The cyber­crim­i­nal trans­fers most, if not all, of the funds in the victim’s bank account, usu­al­ly by wire trans­fers. The crim­i­nal typ­i­cal­ly trans­fers the funds to indi­vid­u­als known as mon­ey mules, who move the funds to a pro­tect­ed account such as an over­seas bank account in a coun­try that is unco­op­er­a­tive with U.S. bank­ing rules and pro­to­cols.

THE OPPORTUNITY FOR CYBERCRIMINALS

SMBs are the tar­gets for this crime because they tend to pay less atten­tion to infor­ma­tion secu­ri­ty, con­trols and risk assess­ments. Thus, their sys­tems tend to be more vul­ner­a­ble than larg­er enti­ties. SMBs also have resource con­straints, includ­ing finances and exper­tise, which can lead to fur­ther risks.

The spe­cif­ic per­son tar­get­ed often is the per­son most like­ly to be con­duct­ing online bank­ing trans­ac­tions for the enti­ty, such as the chief account­ing offi­cer (CAO), chief finan­cial offi­cer (CFO), trea­sur­er or con­troller, all of whom are rel­a­tive­ly easy to iden­ti­fy online. The savvy cyber­crim­i­nal also knows the steps that need to be tak­en to access accounts as well as online banking’s typ­i­cal secu­ri­ty fea­tures.

There are at least two risk areas for clients of CPAs and CPAs in busi­ness and indus­try who per­form online bank­ing trans­ac­tions.

First, the CAO, CFO, trea­sur­er or con­troller often is unaware of cor­po­rate account takeovers and the reper­cus­sions and lia­bil­i­ty that can fol­low. Accord­ing to one source, a sur­vey of small busi­ness­es report­ed that only 18 per­cent of those sur­veyed under­stood they are liable for cyber loss­es, which reveals a severe lack of basic cyber­crime knowl­edge.

Sec­ond, there is a lack of ade­quate con­trols over the online bank­ing process. How­ev­er, even fair­ly strin­gent con­trols can be over­come by a cybercriminal’s per­sis­tent attack, and these con­trols can cre­ate a false sense of secu­ri­ty when, in real­i­ty, there still is sub­stan­tial risk.

A 2009 Ver­i­zon study of 600 inci­dents of secu­ri­ty breach­es over a five-year peri­od reveals that in 87 per­cent of cas­es, inves­ti­ga­tors con­clud­ed that breach­es could have been avoid­ed if rea­son­able secu­ri­ty con­trols had been in place at the time of the inci­dent. Thus, a good place to start BEFORE a breach occurs is rea­son­able secu­ri­ty con­trols as defined by the infor­ma­tion secu­ri­ty pro­fes­sion as best prac­tices or prin­ci­ples.

Reme­di­a­tion mea­sures and con­trols that apply to one cyber­crime often apply equal­ly well to oth­ers, which results in mul­ti­ple cyber­crimes being addressed with a sin­gle coun­ter­mea­sure. This fur­ther sup­ports the posi­tion that mea­sures and con­trols tak­en by enti­ties once a cyber­crime occurs are the same mea­sures and con­trols that should have been in place before the breach.

SECURITY AUDITS AND CONTROLS

A Com­put­er Secu­ri­ty Insti­tute (CSI) sur­vey ranked inter­nal cyber­se­cu­ri­ty audits as the strongest weapon in pre­vent­ing and detect­ing cyber­se­cu­ri­ty vul­ner­a­bil­i­ties. An effec­tive inter­nal secu­ri­ty audit iden­ti­fies cyber­se­cu­ri­ty risks and assess­es the sever­i­ty of each type of risk.  Fol­low­ing the audit, pre­ven­tive con­trols for the major risks that were iden­ti­fied need to be insti­tut­ed. Three strate­gies that can help man­age­ment devel­op those con­trols are:

Time­ly and proac­tive­ly patch­ing vul­ner­a­bil­i­ties, includ­ing vul­ner­a­ble soft­ware.

Using least-access priv­i­leges (a secu­ri­ty con­cept that grants a per­son the least amount of access to sys­tems, tech­nolo­gies and data need­ed to per­form his/her duties) and oth­er sound log­i­cal access con­trols to help reme­di­ate crimes per­pe­trat­ed inter­nal­ly. For exter­nal threats, sound perime­ter con­trols such as fire­walls and Intru­sion Detec­tion Sys­tems (IDS) are crit­i­cal to pro­tec­tion.

Mon­i­tor­ing sys­tems, tech­nolo­gies and access, such as var­i­ous logs cre­at­ed by tech­nolo­gies for those activ­i­ties, with asso­ci­at­ed con­trols vary­ing based on the threat lev­el (also a detec­tion strat­e­gy).

BUSINESS INSURANCE

In an age of finan­cial­ly moti­vat­ed cyber­crimes, every enti­ty should have suf­fi­cient busi­ness insur­ance cov­er­age to recov­er any finan­cial loss­es. Exec­u­tive man­age­ment team mem­bers, espe­cial­ly the CFO, must eval­u­ate the entity’s insur­ance cov­er­age to ensure that it could recov­er esti­mat­ed loss­es from any cyber­crime.

Review­ing cov­er­age should be done on a rea­son­able peri­od­ic basis. Lead­ers also might con­sid­er enlist­ing ser­vice providers that offer cleanup and restore func­tions after cer­tain crimes have been com­mit­ted.