Cyber Security &

Fraud Prevention

Examples, Tools & Tactics

Ben Graybar, MBA, VP, QAS, Commercial Banker

(850) 556-0771 Cell/Text Ben.Graybar@HancockWhitney.com

What got me started?

Yep, they got my entire family!

* Source: American Banker 3/4/2015, Bank Technology News by Penny Crosman

THE EVOLVING LANDSCAPE

Cyber security threats have evolved exponentially with the rapid adoption of cloud computing, mobile

technology, and remote access.

You can protect your business by staying abreast of the latest emerging threats.

“Fraud prevention and protection is a lot like squeezing Jello,” said Dr. Stephen Coggeshall, chief scientist at

LifeLock, which sponsored the Javelin study. “When you stop it in one place, it squirts out someplace else.”*

Cyberattacks affect ‘nearly every single company’

Cyberattacks are affecting nearly every single company we encounter, but we’re not seeing those attacks drive enough proactive business action as evidenced by the rate of investment made in information security,” said Greg Bell, KPMG Cyber US Leader.

“We’re still seeing companies taking a passive or reactive approach toward cybersecurity, when in fact cyber should be a top-line business issue thought about and practiced company-wide.”

http://www.welivesecurity.com/2016/07/27/cyberattacks-affect-nearly-every-single-company/

We Will All Be Cyberattacked, Ex-FBI Cybercrime Agent Says

The odds of a person eventually suffering a cyberattack are “pretty much 100% at this point,” according to Bill Slattery, a former FBI special agent in the cyber division who now investigates cybercrime for Facebook.

http://www.thinkadvisor.com/2016/09/23/we-will-all-be-cyberattacked-ex-fbi-cybercrime-age?ref=hp-financial-news&slreturn=1474918683

“There are 2 kinds of people – those that were hacked, and those who

don’t realize they were.”

Proud Member of InfraGard

Recent Infragard Update

• A Private Industry Notification (PIN) concerning Wireless KeystrokeLogger Disguised as USB Device has been posted to the InfraGardsystem.

Summary KeySweeper is a covert device that resembles a functional UniversalSerial Bus (USB) enabled device charger which conceals hardwarecapable of harvesting keystrokes from certain wireless keyboards. Ifplaced strategically in an office or other location where individualsmight use wireless devices, a malicious cyber actor could potentiallyharvest personally identifiable information, intellectual property,trade secrets, passwords, or other sensitive information. Since thedata is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.

Deloitte ConsultingBeneath the surface of a cyberattack July 2016

Beneath the surface of a cyberattack A deeper look at business impacts

Fourteen cyberattack impact factors

Technical

investigation

Customer breach

notification

A wide range of direct and/or

intangible costs contribute to

the overall impact of a major

cyber incident.

Post-breach

customer protection

Regulatory

compliance

Public relations

Attorney fees

and litigation

Cybersecurity

improvements

Insurance premium

increases

Increased cost

to raise debt

Impact of operational

disruption or destruction

Lost value of customer

relationships

Value of lost

contract revenue

Devaluation of

trade name

Loss of intellectual

property

Above the surface better-known cyber incident costs

Beneath the surface hidden or less visible costs

Technical Investigation

Customer breach notification

Post-breach customer protection

Regulatory Compliance

Public Relations

Attorney fees and litigation

Cybersecurity improvements

----------------------------------------

Insurance premium increases

Increased cost to raise debt

Impact of operational disruption or destruction

Lost value of customer relationships

Value of lost contract revenue

Devaluation of trade name

Loss of intellectual property

Data of 200 million Yahoo users offered for sale

• This batch is being sold for 3 bitcoins (a little over $1,860), and apparently contains the username, MD5-hashed password, and date of birth of some 200 million users, and backup email addresses, country and ZIP code of US users.

• https://www.helpnetsecurity.com/2016/08/02/data-yahoo-users-sale/

Yahoo Breach Could Delay $4.8 Billion Verizon Takeover

• Verizon may revisit contract with Yahoo on doubts of vulnerabilities in the system after 500 million accounts were found hacked.

• http://www.darkreading.com/attacks-breaches/yahoo-breach-could-delay-$48-billion-verizon-takeover/d/d-id/1327004

• The news that 500 million Yahoo accounts were breached by hackers may not jeopardize the tech company’s deal with Verizon, but it could delay it as the telecom giant takes a closer look at the legal ramifications, says NBC News.

Got Netflix? 6/9/16 on CBS

Tweet Much? 6/9/16 http://techcrunch.com/2016/06/08/twitter-hack

• Passwords for 32M Twitter accounts may have been hacked and leaked

• Hackers may have used malware to collect more than 32 million Twitter login credentials that are now being sold on the dark web. Twitter says that its systems have not been breached.

• Other major security compromises which have hit the news recently include a Myspace hack that involved over 360 million accounts, possibly making it the largest one ever, and the leak of 100 million LinkedIn passwords stolen in 2012.

• by Catherine Shu (@catherineshu), Kate Conger (@kateconger)

That’s NOT what I said!Flaw Allowed Hackers To Change Conversations

in Facebook Messenger June 2016

• By exploiting this vulnerability, cybercriminals could change a whole chat thread without the victim realizing. What’s worse, the hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations.

• http://www.crm-daily.com/story.xhtml?story_id=020001IA1JQ0

• By Jef Cozza / CRM Daily

68 million Dropbox passwords stolen by hackers

• If you hadn’t changed your password since mid-2012, there’s not much reason to worry: since Dropbox forced a password reset on those accounts…

• However, if you’ve used the same email address and password combination on other services, you’ll want to change those right away. It’s common for hackers to try using credentials from one company breach on other services and accounts.

• 2016 has not been a good year for online security.

• Earlier this year, 32 million Twitter passwords were put up for sale on the Deep Web for just $5,807

• In May, 117 million LinkedIn account details were available for $2,200, and 45 million users’ credentials were stolen from numerous forums operated by a single company.

• If you’re concerned about the safety of your online accounts, now would be a good time to try out a password manager like 1Password and enable two-factor authentication on every service that offers it.

Hackers compromise nearly 16,000 WordPress websites

• According to security researcher Daniel Cid, at least 15,769 WordPress websites have been compromised this year by cyber-attackers who were able to evade Google's Safe Browsing checks.

• The report also found that 3099 Joomla! sites were hacked during that time as well.

• Almost three quarters of the compromised sites in the Sucurireport all shared one characteristic, they were backdoored. By placing a backdoor on these sites, hackers gained a new way of loading malicious payloads, targeting visitors and in the future these same sites could be used for further attacks.

Sample attacking civic club members

City of Tallahassee

Fraud Alert

Beware of Recent Phone Scam Targeting City of Tallahassee Utility Customers

Several City Utility customers have reported receiving phone calls from individuals identifying themselves as City of

Tallahassee Utilities representatives. The caller indicates that the account is past due and threatens utility service disconnection - usually within an hour - if immediate payment

is not made.

Please be advised that these calls are NOT authorized or affiliated with City Utilities. Your Own Utilities does not conduct business in this manner. The City will not request its customers

to provide payment in the form of Green Dot, Account Now, Vanilla cards or any other type of prepaid card.

Customers can make payments online, by phone, mail or automatic bank draft, as well as in person at the Frenchtown Renaissance Center, 435 N. Macomb St., or at one of many remote

payment locations throughout Tallahassee.

If you receive a suspicious call that you believe may be a scam, contact Your Own Utilities at 891.4YOU (4968) to confirm the call. This will allow the City to document the activity and

continue to work with the Tallahassee Police Department to prevent fraud. Thank you.

Types of Attacks on Banks/Clients

• Verizon's Data Breach Investigation Report is different. The telecom giant creates it in concert with more than 67 organizations, government agencies among them. Notable contributors include the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, the National Cybersecurity and Communications Integration Center, Kaspersky Lab, Cisco Security Services and EMC.

• http://www.americanbanker.com/news/bank-technology/where-banks-are-most-vulnerable-to-cyberattacks-now-1080671-1.html?

How did they do it?http://www.theregister.co.uk/2016/04/26/verizon_breach_report

• From Verizon's ninth annual Data Breach Investigations Report (DBIR) provides an analysis of over 100,000 security incidents and 2,260 confirmed data breaches last year

• Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes).

• This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.

• Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.

Best Password Ever … NOT!

These are the 25 worst passwords of 2015

• Here’s Splashdata's complete list of the 25 worst passwords for 2015, with their ranking from 2014 in brackets:

• 1.123456 (Unchanged) 2.password (Unchanged)• 3.12345678 (Up 1) 4.qwerty (Up 1)• 5.12345 (Down 2) 6.123456789 (Unchanged)• 7.football (Up 3) 8.1234 (Down 1)• 9.1234567 (Up 2) 10.baseball (Down 2)• 11.welcome (New) 12.1234567890 (New)• 13.abc123 (Up 1) 14.111111 (Up 1)• 15.1qaz2wsx (New) 16.dragon (Down 7)• 17.master (Up 2) 18.monkey (Down 6)• 19.letmein (Down 6) 20.login (New)• 21.princess (New) 22.qwertyuiop (New)• 23.solo (New) 24.passw0rd (New)• 25.starwars (New)

• http://www.pcworld.com/article/3024252/security/these-are-the-25-worst-passwords-of-2015.html

Password Sharing Is Now a Crime

• Unless Netflix specifically authorizes you to share your password with your friend, you're breaking federal law.

• As a result, the court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon.

• The Computer Fraud and Abuse Act has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.

• https://www.schneier.com/blog/archives/2016/07/password_sharin_1.html

20 percent of employees would sell their passwordsBy Ian Barker http://betanews.com/2016/03/21/employees-would-sell-passwords/

• According to new research from identity management company SailPoint one in five employees would be willing to sell their work passwords to another organization, up from one in seven last year.

• Of those who would sell their passwords, 44 percent would do it for less than $1,000, and some for less than $100. This is made worse by the fact that 65 percent admit to using a single password among applications and 32 percent share passwords with their co-workers.

• Other findings include the worrying fact that more than two in five employees still have corporate account access after they leave their job. In addition 26 percent uploaded sensitive information to cloud apps with the specific intent to share data outside the company

Internal Access Controls

• Smaller-scale data loss, however, is often as a result of authorized employees simply exploiting their privileged access rights. This is where user access control can be an extremely challenging area for many businesses … especially in light of the increasing bring your own device (BYOD) trend.

• http://www.computerweekly.com/opinion/Security-Think-Tank-Many-breaches-down-to-poor-access-controls

Insider Dealing – Access ControlSource: Feb 2016 Florida Trend

Build your “Employee Firewall”

Internal Controls – FDIC Breachhttp://www.americanbanker.com/news/bank-technology/what-banks-can-learn-from-the-fdic-data-breach-1080452-

1.html?utm_medium=email&ET=americanbanker:e6511893:4495691a:&utm_source=newsletter&utm_campaign=abla%20daily%20briefing-apr%2015%202016&st=email&eid=fde53dfe86654ae08b6cdc3d7e83eee0

• On Friday, Feb. 26, an FDIC employee was packing up; it was her last day at the agency. She downloaded some personal files, such as family photos and her resume, from her work computer onto a USB drive to take home. At the same time, the FDIC later discovered, she inadvertently downloaded 44,000 customer records, including personally identifiable information, onto the portable device.

FDIC's report to Congress mentions 20information breaches during the 2015 fiscal year

• The agency's chief information officer, Lawrence Gross, told the panel Thursday that seven other incidents that had involved a departing employee downloading sensitive data on a zip drive — which were reported to Congress — all were accidental in nature.

• "The individuals involved in those incidents were not computer proficient," Gross said. So much so, he added, that they could "inadvertently copy the entire hard drive."

• For example, there were instances where sensitive financial institution information was mistakenly provided to a non-authorized party via an inadvertent email or via posting to an information exchange site in the wrong location," the report says. "The unauthorized parties were contacted in each case to destroy the sensitive information."

• http://www.americanbanker.com/news/law-regulation/fdic-employee-took-big-banks-living-wills-on-the-way-out-1080987-1.html?utm_medium=email&ET=americanbanker:e6714062:4495691a:&utm_source=newsletter&utm_campaign=abla%20daily%20briefing-may%2013%202016&st=email&eid=fde53dfe86654ae08b6cdc3d7e83eee0 May 12, 2016 by Lalita Clozel

It’s not just the breach …It’s the reporting! Florida Trend

Florida Information Protection Act

• Defines “personal information” breached

• 30 day discovery notice required to consumers

• 3rd party agents of covered entities get 10 days

• If involves >500 FL residents, notify State

• Business & State entities must reasonably protect data

• Penalties up to $1000/day for 1st 30 days & $50k each subsequent 30 days to 180 days

• http://www.akerman.com/documents/res.asp?id=2002

700,000 IRS Files Breached Those who were hacked, & those who don’t know they were!

Even in Tallahassee!

9 sentenced in $2.6M income tax refund caseTallahassee Democrat 5:01 p.m. EDT June 24, 2016

• Four Big Bend residents are among nine people sentenced this week on federal charges, including more than $2.6 million in income tax refunds.

• Used stolen personal identifying information from approximately 2,800 individuals.

• The sources of the personal information included an insurance provider, an online database, and an area hospital…according to U.S. District's Attorney's office.

Wifi & Bluetooth

• Never use Wifi outside your home for private info, or better yet – not at all

• If you are going to use Wifi, be sure you know what you’re using … but how can you?

• Never auto-connect• Lock your home Wifi by creating a password• WIFI Keyboard & CPU hard drive readers

• Beware of Bluetooth – turn it off in a crowd• It’s a line of sight exposure, if not paired/active

29% of Android devices can’t be patched by Google

• Apple CEO Tim Cook put on screen at Apple’s WWDC developers conference a slide of a pie chart showing that 99% of mobile malware was on Android.

• https://nakedsecurity.sophos.com/2016/04/21/29-of-android-devices-cant-be-patched-by-google

Mobile device infections rose 96 percent in the first half of 2016

• One out of 120 smartphones infected: In April, one out of every 120 smartphones had some type of malware infection.

• Android OS hit hardest:Android smartphones were the most targeted mobile platform, accounting for 74 percent of all malware infections compared to Window/PC systems (22 percent), and other platforms, including iOS devices (4 percent).

Android Trojan targets customers of major banks and can bypass 2FABy Ian Barker http://betanews.com/2016/03/09/android-banking-trojan/

Researchers at security company ESET have uncovered a new strain of Android malware that can steal the login credentials of mobile banking users.

Named Android/Spy.Agent.SI, the malware presents victims with a fake version of the login screen of their banking application and locks the

screen until they enter their username and password.

Using the stolen credentials, thieves can then log in to the victim's account remotely and transfer money out. They can also use the malware to send them all of the

SMS text messages received by the infected device, and remove them.

Ransomware Example In The News

Ransomware - it happens here …

• Coaxis as Cloud backup provider

Stampedo Ransomware Available for Just $39http://betanews.com/2016/07/18/stampedo-ransomware/

• A new variant of ransomware has been found for sale on the dark web for an incredibly low price that allows its victims 96 hours to pay a fee.

• This new piece of ransomware is called Stampedo and it is available for only $39 which includes a lifetime license. Once it has infected a user’s system, a fee must be paid within the allotted time in order to regain access. If a user fails to pay the fee, Stampedo begins to delete random files on their computer within six hour intervals.

Ransomware customer service: Negotiation is always on the table

Can negotiating with ransomware operators result in a reduced fee?

By Charlie Osborne for Zero Day | July 18, 2016 -- 07:00 GMT (00:00 PDT) | Topic: Securityhttp://www.zdnet.com/article/ransomware-customer-service-negotiation-is-always-on-the-table/

• Cyberattackers running ransomware campaigns are usually willing to negotiate if it means exhorting any payment at all from victims, researchers claim.

• Demands for payment go from $200 to thousands of dollars.

• 3 of 4 gangs negotiate

If success is 86%, 14% fail

Where are the bad guys?http://betanews.com/2016/04/19/us-malware-hosting/

According to a new report from German security company G DATA, more malicious websites were hosted in the US in 2015 than in any other country, originating around 57 percent of recorded attacks.

China, Hong Kong, Russia and Canada are also major hosts of malware, though Europe is little in evidence, only Germany and Italy making the top seven and accounting for just six percent between them.

FSU Hackathon … Kind of

FACTS

Source: 2015 & 2016 AFP Payments Fraud and Control Survey

SECURITY MATTERS: FRAUD HAPPENS

… & Size Doesn’t Matter

Source: 2015 Internet Security Threat Report - Symantec

PHISHINGImpersonation Tactics

• PHISHING: A bogus email or text that appears to be from a business claiming you do business with them. They request you click on their link.

• SPEAR PHISHING: A bogus e-mail that appears to be from a business or someone you know. It often appears as a “reply” to a previous conversation you had with that business or person.

• MASQUERADING or BOSS PHISHING: Hackers infiltrate email networks, impersonate executives and send instructions that perpetrate wire fraud.

• BEC or BUSINESS EMAIL COMPROMISE: Scammers seek to socially engineer the employees of a business & similar domain names to gain access.

• WHALING: Where the CEO/boss is impersonated in emailing instructions to send $

Phishing Defense

• 73% of corporate finance and treasury executives surveyed by the Association for Financial Professionals reported that their companies experienced attempted or actual payments fraud in 2015.

• That’s up from 62% in 2014.

• http://www.americanbanker.com/news/bank-technology/how-to-become-unphishable-1080199-1.html?pg=1

Uber's Phishing Tale Can Teach Banks a Lot About Security

• We've had a couple of different instances where we've gotten more than a million [phishing attacks] in a single day," said Chris Cravens, head of technology services at Uber.

• http://www.americanbanker.com/news/bank-technology/ubers-phishing-tale-can-teach-banks-a-lot-about-security-1081314-1.html?utm_medium=email&ET=americanbanker:e6857673:4495691a:&utm_source=newsletter&utm_campaign=daily%20briefing-jun%203%202016&st=email&eid=fde53dfe86654ae08b6cdc3d7e83eee0

Local Text Phishing Scam 5/12/16

http://www.wctv.tv/home/headlines/Potential-Victim-Avoids-Scam-379286571.html

• Valerie Wickboldt, a SunTrust Bank customer, says she was surprised when she got a text message from a potential scammer.

• It reads ' your debit card has been locked please call' and a number was provided.

• The number to contact the state AG office is 866-9-NO-SCAM.

Phishing TEXT I received

How to … boldly made easier

• Phishers are creating YouTube channels to document their attacks

• Phishing attacks have linked back to YouTube channels where phishers explain their attacks and promote their tools while looking for buyers.

• http://www.symantec.com/connect/blogs/phishers-are-creating-youtube-channels-document-their-attacks

Symantec recently discovered a phishing site for Amazon.com which didn't seem particularly noteworthy at first. However, looking at the HTML source revealed an interesting comment from the attacker. The following figure shows a "brag tag" that

details the name of the scam, "Scama Amazon 2016,” along with the attacker's name, website, and even a YouTube channel.

Banking Trojans Expand Their ReachReport: New Botnet Targets Include App Stores, Shipping Organizations, Many OthersTracy Kitten

(FraudBlogger) • February 22, 2016

• "They need to make sure that their users don't click on links in an email," he says. "This is still the primary entry point for most criminals.“

• http://www.bankinfosecurity.com/banking-trojans-expand-their-reach-a-8886

Regulation E: Electronic Fund Transfers 12 CFR 205 www.federalreserve.gov

• Section 205.6 Liability of consumer for unauthorized transfers

• Limits a consumer's liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited.

When Cyberfraud Hits Businesses, Banks May Not Offer Protection - NPR

Updated October 7, 2015 6:12 PM ET Published September 15, 20155:04 AM ET

• It turned out a cybercrook had commandeered the debit card he used to cover the costs of foreign trips. Krierexpected that his bank would reimburse him.

24 Hours?!?!

• At first, he says, the staff at the local bank said, "Not a problem." But later, Krier says, that bank told him, "It's a business account, so you're out of luck.“

NPR Story – continued…

• Cyberthieves hacked his email account, impersonated him and transferred more than $1 million through U.S. domestic accounts to an account in China.

• That's because the thieves also had access to his Outlook calendar. It meant the cybercrooks could safely impersonate Rolfe and write emails telling his bookkeeper to transfer funds to their bank accounts. The thieves could respond to any questions from Rolfe's bookkeeper and then delete all those communications from the account before Rolfe returned from his meetings and checked his email again.

• The most recent FBI data show a huge growth in this kind of fraud. More than 8,000 companies have been victimized over the past two years. Their losses total nearly $800 million.

• The law does require banks, under the Uniform Commercial Code, to offer business customers a "commercially reasonable" security protocol. If the bank follows that protocol, it can refuse to reimburse businesses that are victims of fraudulent money transfers.

• Johnson says the best way forward is for banks to inform their customers about the dangers they face so they can work together to beat the bad guys.

• He offers these tips to businesses: educate your employees, change passwords often, require two-person approval for fund transfers, and dedicate a single computer to be used only for financial transactions.

• http://www.npr.org/sections/alltechconsidered/2015/09/15/440252972/when-cyber-fraud-hits-businesses-banks-may-not-offer-protection

TYPES OF PAYMENTS TARGETED FOR FRAUD

Source: Assoc. of Financial Professionals Payments Fraud & Control Survey

Largest $ Losses Per Fraud Type

TALLAHASSEE, Fla. —Attorney General Pam Bondi’s Office of Statewide Prosecution and the

Florida Department of Law Enforcement today announced the arrests of four suspects accused of

travelling acro ss Florida to steal hundreds of rent checks. According to FDLE’s two - year

investigation, the defendants worked nights and weekends to retrieve money orders and cashier’s

checks from drop boxes. The theft crews allegedly targeted apartment complexes or rental

communities having drop boxes, striking when payments were due at the end of the month. The

investigation revealed that the defendants targeted apartments in Broward, Charlotte, Collier, Duval,

Hillsborough, Lee, Osceola, Polk and Sarasota counties.

The defendants allegedly used long metal rods affixed with a sticky material to fish payments from

drop boxes, altered and deposited the checks in 38 identified bank accounts and immediately

withdrew the cash. The thefts were not usually discovered until the landlord asked tenants for t he

overdue rental payments.

According to the investigation, the defendants deposited some 443 money orders and two cashier’s

checks totaling more than $200,000 into their accounts.

MERCHANT SERVICES

More than just Wendy’s 7/10/16

250 Hyatt hotels infected last year with payment data stealing malwareThe hotel chain has admitted that 250 hotels in 54 countries were affected by the data breach.By Charlie Osborne for Zero Day | January 15, 2016 -- 13:29 GMT (05:29 PST) | Topic: Security

The Hyatt hotel chain has revealed that almost half of its properties were infected with malware last year and customer financial data may have been stolen.

According to the company, 318 hotels out of 627 in the firm's portfolio were infected with information-stealing malware from August 13 to December 8, 2015. Some locations may have been affected as early as July 30, 2015.

China, India and the United States are at the top of the list for malware-ridden hotel systems, with 22, 20 and 99 infected sites respectively.

Hyatt says that following an investigation, "signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations" were discovered.

While malware was exposed mainly at restaurants, some spas, parking, golf shops, front desk reception systems and sales offices were also impacted.

The chain says the malware in question was designed to steal financial data including cardholder names, card numbers, expiration dates and internal verification codes, which are used onsite to verify transactions. According to the company, the malicious code harvested credentials as they passed through Hyatt's infected payment processing systems.

Malware hits 20 major hotels, customer data may be stolen

http://betanews.com/2016/08/16/malware-20-us-hotels-ei-hotels-and-restaurants/

• As many as 20 hotels in the US have been hit by malware, and fears are spreading that customer data, including credit card information, was stolen.

• According to a Reuters report, hotels under attack include Starwood, Marriott, Hyatt and Intercontinental -- all part of the HEI Hotels & Restaurants.

• A total of 12 Starwood hotels were affected, six Marriott Internationals, one Hyatt Hotel and one InterContinental Hotels Group, with the malware being in operation from March 1 2015, to June 21, 2016. Fourteen hotels were infected during December last year.

Malware Found on the PoS Systems at Hard Rock Hotel & CasinoHotel chain urges customers to watch out for card fraud

Jun 28, 2016 23:05 GMT · By Catalin Cimpanuhttp://news.softpedia.com/news/malware-found-on-the-pos-systems-at-hard-rock-hotel-casino-505770.shtml#ixzz4DBeWTOJp

Card scraping malware at the heart of the incident

• The hotel chain admits us that clients who stayed or used their payment cards at the hotel's restaurant and retail outlets between October 27, 2015, and March 21, 2016, could be affected.

The malware can collect card details such as the cardholder's name, card number, expiration date, and internal verification code.

Home Depot Says Electronic Outage Slowed Card Purchases

By: Associated Press April 9, 2016

• In 2014, the Atlanta-based retailer reported a massive, months-long breach that affected 56 million debit and credit cards. The company said that hackers had accessed the company's network using a third-party vendor's username and password.

70% / 40% as of April 2016

Charges look legitimate on your bill

Debit Cards

• Do not link any account to your debit card as overdraft protection.

• Instead, transfer funds into your account tied to your debit card … when needed.

• Use Credit Cards, when possible.

Protect Your Cards

SKIMMERS Source: WCTV.TV

Exponential Increase in Skimmers

Scott Signs Bills on Credit Card Skimmers

• And a law that takes effect Oct. 1 will require security devices on gas pumps to prevent illegal credit card skimmers. The legislation was a top priority for Agriculture Commissioner Adam Putnam, whose department has been investigating the use of skimmers to steal credit card information.

• http://www.wctv.tv/home/headlines/Scott-Signs-Bills-on-Credit-Card-Skimmers-Police-Seizures-374309251.html

• By: Associated PressApril 1, 2016

Printers, copiers are data gold mines for identity thieves

By Alan Johnson The Columbus Dispatch • Saturday January 10, 2015 5:56 AM

All the things you copy at home and the office — tax returns, medical records, financial information and more — could end up in someone else’s hands.

That’s because copiers and fax machines, like computers, contain hard drives capable of storing a large volume of digital information.

Nearly all copiers made since 2002 for business use, and some for home use, contain a hard drive that can store every copy made, item printed or fax scanned. While the information might be encrypted, it’s not usually a challenge for hackers to access details, including Social Security and telephone numbers, bank accounts and credit-card numbers, according to digital experts.

Calling appears local Advance Payments Fraud

Real Example We Caught

City of Midway Loses $24,000 to Scammers

Janmaris Perez / Updated Jun 10, 2016 / WTXL

• Forged checks that were identical to those used by the City

• City Manager Ford says the city will be taking definitive action in response to the scam to ensure this does not happen again. This includes changing current account numbers and implementing a new system for those submitting checks who will be honored by the bank

You Probably Can't 'Prevent' Cyberattacks, But Here's What You Can Do

• There are four kinds of controls in all: preventive, detective, corrective and compensatory.

• A preventive control acts like a barrier to an attack. Security awareness training is another excellent example of a preventive control.

• Detective controls are easier - they detect. They know the door has been opened (i.e. a motion detector) and they either close it or alert someone. Other examples of detective controls include a system's monitoring applications, intrusion detection systems, and even anti-virus and anti-malware solutions.

• Corrective controls fix or restore the environment. For example, applying the right security patches and upgrades is a corrective control. Restoring your data from backup is another corrective control.

• Compensatory controls are those designed to compensate for some of the damage. A disaster recovery site is a compensatory control. Cyber insurance can also be a compensatory control. Even a backup generator, a second set of servers or computers, or the ability to switch over operations to another country, are compensatory controls.

• http://www.americanbanker.com/bankthink/you-probably-cant-prevent-cyberattacks-but-heres-what-you-can-do-1091370-1.html?utm_medium=email&ET=americanbanker:e7665966:4495691a:&utm_source=newsletter&utm_campaign=daily%20briefing-sep%2020%202016&st=email&eid=fde53dfe86654ae08b6cdc3d7e83eee0 9/19/2016

HOW TO SAFEGUARD (your defense)

HOW TO SAFEGUARD

HOW TO SAFEGUARD

IBM’s TRUSTEER RAPPORT ACCOUNT PROTECTION

Shielding your PC from fraudsters is free.

Rapport performs three key security steps:

1. Keystrokes are encrypted as soon as the keys are pressed, defeating key-logging malware programs.

2. Web sites are authenticated before any login details are transmitted, ensuring passwords are not compromised.

3. Data is secured within the browser until it has been submitted to the verified, legitimate web site, preventing unauthorized access to sensitive data.

How Businesses Protect Themselves

TREASURY ACTIVITY ALERTS

Treasury Management tools can provide automatic alerts for:

1. Outgoing Wires2. Outgoing ACH transactions3. ACH Profiles – changes, additions and deletions 4. Commercial Loan payments and advances

If you use Treasury Solution Dual Administration, alerts can be set up by the Administrator to let them know when changes occur.

The Dual Administration feature is optional, but highly recommended.

We recommend a multi-layered approach for security measures to protect your accounts. There are built-in security measures, from login to administrative audit control; & each client must decide what is appropriate for their situation.

www.Business Shield.org

• Business Identity Theft starts with the fraudulent alteration of your business’s Secretary of State filings which are not monitored by any current identity theft service.

(Not affiliated with Hancock Bank)

INTERNAL VIGILANCE & EMPLOYEE FIREWALLS

Your company needs more than strong security procedures; each employee must function as an

‘employee firewall’ at their workstation.

Remember, your employees trust the Internet and social media; this makes the Internet one of the

greatest security risks to your business.

INTERNAL PROCEDURES

Separate duties between staff that issue payments vs. those that reconcilethe bank accounts.

Require Dual Authorization for all monetary transactions; your bank requires it on all ACH and wire transfers.

Conduct a Daily Transaction Review for all outgoing items!(ACH, wires, and checks)

Remotely Deposited Checks – Void/secure checks once they are remotely deposited and destroy them according to your bank’s retention period.

Validate Vendor Information by requiring confirmation prior to paying an invoice from a new vendor or processing a change of address request.

Tech-Based Cybersecurity Can't Stop 'People Risk'

• Research shows that while technology may be necessary to keep malware, viruses and other forms of electronic intrusion at bay, it is insufficient. That is because the weakest link often turns out to be people who are either careless or not properly trained in cybersecurity processes.

To fend off cyberattacks requires more than the best anti-virus technology — it also demands a shift in culture.

http://www.americanbanker.com/bankthink/tech-based-cybersecurity-cant-stop-people-risk-1090314-1.html?utm_medium=email&ET=americanbanker:e7229037:4495691a:&utm_source=newsletter&utm_campaign=daily%20briefing-jul%2025%202016&st=email&eid=fde53dfe86654ae08b6cdc3d7e83eee0

Get the app: http://newsfusion.com/cyber-security

CONCLUSION

“Consider focusing more on people than technology. Try to use brevity, humor and other modes of engagement to help users

understand the organization’s security and privacy challenges.”

-Chief Information Officer, Deloitte Services, LP 2014 Transforming Cybersecurity Report

“Cybercrime is a clear, present and permanent danger. While it’s a permanent condition, however, the actors, threats,

and techniques are very dynamic.”

-Tom Ridge, former Secretary of the Dept. of Homeland Security, 2014 US State of Cybercrime Survey