Corporate Account Takeovers & What It Means For Credit Unions

On June 25th, at the invitation of a prominent local bank here in Houston, I’ll be presenting to a group of 40 CEOs on the (touchy) subject of Corporate Account Takeovers.

This has evolved into one of the most recurring conversation topics I’ve been entertaining of late with our FI customers.  It would appear that both FIs and auditors alike have finally come to the realization that this is an issue as important as securing the FI’s internet.  I mean, when you think about it, banks have their perimeters strongly protected (but do they really, ahem) to stop hackers from stealing customer data, but hackers have a much easier time stealing that same data directly from the source – the customer.

And what more valuable data than, say, the online banking credentials for a corporate banking account, which could be used to transfer lofty sums overseas before anyone notices?

Taking over a private user account holding, say, $10,000, can be somewhat lucrative; but taking over a corporate account used to move millions of dollars per annum is beyond lucrative. If I were to attempt transferring $100,000 from a private account, all red flags will go off and the transfer stopped.  Try doing the same from a corporate account ~ because it actually makes legitimate transactions of that size intermittently, chances are minimal that anyone will sit up, take notice and/or raise the alarm.

Therefore, unless the destination is Nigeria, no one may actually pay attention.  A fact which hackers/scammers know all too well.  They set up mule accounts in the US; the large transfer goes from a US account to another; they then withdraw the money out of the mule account in several, small legitimate transactions to avoid raising suspicion.

The problem now is that you – eclectic IT magician, already in charge of network, security, compliance, servers, workstations and whatnot for your FI – are now suddenly being asked, no, demanded to resolve this issue as well!  But the problem arises from a network and a company you’ve absolutely zero control over!  What do you do??

At this juncture, the only thing you can hope to do is acquire the attention of executives from companies with some form of high level security education.  To this day, it continues to astound me how so many still view security as a nuisance.  That we in the industry are purely paranoid and that we really ought to stop trying to scare them.   Remember, executives are people accustomed to barking out orders, seeing everyone run to execute them.  They’re usually egotistic, self centered, with an inflated sense of power that makes them feel invincible.

As such, not only are you not in control of their networks; you also have to deal with individuals who (most times) don’t believe in security, think they’re invincible, and, all things said and done, are (quite often) the main source of your problem to begin with.

What to do, what to do.

With the support of your own higher level management, you start by opening their eyes to the real dangers of the internet.  Think about it; they’re busy running a company, all day long.  When do they actually read about security in the news, if ever? And when they do, it’s typically about some vast corporation, or some large scam, government entity, foreign entity, or multi-trillion dollar FI.   It’s quite the natural reaction, therefore, for them to be convinced that such incidents only happen to big companies and/or between governments.  Their thought process would most likely be along the lines of,  “Why would a hacker try to attack me?  I don’t have much to steal, and my company is never in the news, so they don’t know I even exist.”

They have no idea that a hacker can scan the IP addresses of an entire nation within one single day ~ make a list of vulnerable sites, and then attack them, one at a time.  They’ve no idea about social engineering; they go on Facebook and put up their birthdays, the names of their pets and all those bits of personal information that you and I both know are potentially dangerous.  They don’t realize that Facebook keeps modifying its security settings and often allows user data to be made publicly visible. They don’t know that hackers create fake accounts to befriend them and steal information that can lead to corporate accounts takeover.

Is there no hope, you ask?

Yes, Education.

The only way you can hope to save the day is by educating your customers to what you and I find obvious, but the rest of the world does not.  Not everyone reads about security on a daily basis.   Don’t assume that users are less intelligent; they’re simply not as informed because it’s not their job to be so.

It’s our job to inform them properly, promptly, and in a manner that they’ll find interesting and can relate to.  Don’t speak geek with them; you’ll lose them within a few seconds.  Trust me, I know this from personal experience.  Speak rationally, with common sense, and provide real life examples.  For instance, we all know why we avoid certain parts of town, and how to avoid them.  But when it comes to internet behavior, this same sense of logic often flies out the window.

Talk to them about emails with dangerous links in emails, about how easy it is to impersonate someone else when you’re hidden from view (Lulzsec’s Kayla wasn’t a 16 year old girl but, in reality, a 23 year old man – Ryan Ackroyd of London).  Explain how social engineering works in laymen terms.  You can’t force them to secure their networks; but if you make them “see the light”, you might obtain just that.

Pierluigi Stella

Pierluigi Stella

With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network ... Web: www.networkboxusa.com Details